I admit I can be a little bit paranoid.
I know you feel the same way too. Because when it comes to trusting a 3rd party with your bank card details, one can’t be too careful, right. What could possibly go wrong? Well, there’s a real risk that your card details could fall into the wrong hands (hackers). This unfortunately implies that your money might go missing. Or worse, lead to a case of identity theft.
This means seemingly mundane events where I have to use my card e.g. say shopping online for new trainers or going into a restaurant in Lekki, makes me super apprehensive! Some of the usual questions that run through my head are; How secured is this store or website? Are my card details going to be compromised? Is this transaction vulnerable to hackers?
And just to be clear, this is not an attempt to disparage any one particular retailer or payment processor simply because it’s Nigerian owned. For instance, I was in Cornwall last weekend and picked a few items in a store, I got to the checkout to pay and the nice store attendant said to me ‘our POS machine is broken; let me take down the 16 digits details of your card and we will charge it for you’. You should have seen the absolute look of horror on my face! Trembling, I said ‘no thanks…Let me see if I have enough to pay by cash’. So payments security can be shambolic anywhere and it’s not specific to any region.
Hence I think about this particular writeup, in sort of an enlightened self interest type of way – let me help you, to protect you, to protect me. So here’s my free advice on how to think about security and paranoia as Nigeria continues to make great strides in FinTech;
Limitations of PCI Certification
We love certifications. They give us that warm fuzzy feeling that everything is fine and dandy. And when it comes to payments security, there’s probably nothing more comforting than a firm to announce to the world (I’ve heard we pop champagne as well), that they’ve just achieved PCI DSS1 or PA DSS2 or P2PE compliance, etc. To the firm (and the public) it always seems a case of the more the acronyms, the better the security! Of course, Payment Card Industry (PCI) achievement is meaningful, as it sets an acceptable standard for securing and transferring sensitive data e.g makes use of protocols such as SSL, HTTPS, etc that are compulsory for compliance.
But there’s a catch; PCI certification is not the be-all and end-all of security. It’s supposed to be a beginning. In my opinion, there are two simple ways to think of the limitations of PCI compliance; the areas it covers; however there’s a gap in expertise and the areas it covers; but meaningful real-world adherence is low.
The first limitation is that it delegates responsibility in some cases to parties that are unable or incapable (due to lack of expertise), to deliver. For instance, if you look at PA-DSS guideline for protection of memory code, it falls under the user’s (merchant) responsibility. This means that to attaining achievement status of PA-DSS, does not require application developers (startups) to encrypt the sensitive data in memory or conceal their compiled code. Instead it’s the responsibility of the merchant (e.g your supermarket), to implement work-arounds such as firewalls and file integrity monitoring. This means, if I walk into a store to purchase a product, my security is also dependent on how well they know these things. Which I doubt is a lot.
The second limitation is that PCI-DSS and PA-DSS standards also prohibit certain actions in compliance with the rules, whereas in the real world, those rules are hard to enforce. As an example, it clearly doesn’t allow full track data storage as noted in below reference.
Sensitive authentication data must not be stored after authorization (even if encrypted)
The point worth stressing is that, ‘after authorization’ are the key words in this sentence. For instance, when applied to fallback processing (e.g when network is down) this requirement means that track data can be stored (e.g for Store & Forward or Timeout Reversal), and in reality almost all payment applications do so. There are serious issues with reconciliation and chargebacks because they require the full payment application number (PAN) to be re-sent to the host, which means that very sensitive data can be archived for minutes, hours or even several days.
What to do?
For your firm/startup, don’t take the PCI certification to mean there are no longer security issues to be addressed. Also invest time and energy to educate your end users, e.g if you have PA-DSS then you’re likely a software vendor who sells to multiple customers. You need to educate those multiple customers.
(Note: a third obvious limitation of PCI are areas it simply doesn’t cover. This is beyond the scope of this post)
Attractiveness as a target
Let’s start with the facts; no platform is 100% secured! None. So the bad guys are spoilt for choice and usually head to where the payouts are ridiculously large. Too many examples to cite but recent cases of $50m value of Ether in DOA case and $81m stolen from Bangladesh Central Bank come to mind. Even the Swift network also known as the ‘Rolls-Royce of payments networks’ because of its super-secure system, that banks (all around the world) use to authorize payments from one account to another, has been compromised on numerous occasions.
Herein lies the conundrum; the bigger and more powerful a platform becomes, the more likely it becomes vulnerable to attacks. For us in Nigeria, we’re not yet at that scale that makes us that attractive. This is both a good and bad thing, because it means we perhaps have time to put our house in order, before the day of reckoning.
But one more thing worth pointing out is that you have internal factors to consider in respect of vulnerability to attacks. This is not dependent on scale.
What to do?
Recognize the attendants problems scale brings to your doorstep. To paraphrase a wise man, it’s a case of more money, more problems. So it’s time to prepare by reviewing processes and diligently looking for loopholes. You definitely have those in your firm.
A call for Self Reporting and Collaboration
Finally, we need to improve our self-reporting. There’s a need for collaboration when our systems get hacked or compromised, to share ideas and expertise on how to best protect ourselves against future occurrences. It’s the norm in other parts of the world to do so (although it’s done sometimes reluctantly), hence why we get to hear about attacks and have so many case studies on how to prevent them.
Even the bad guys collaborate! The infamous JP Morgan 2014 hack that saw over 100 million accounts hacked was one great work of collaboration. There’s a lot to learn from that aspect.
So there you have it all, folks! Please let’s work together to keep each other safe. Now where did I leave my card again…
This article was first published on Ade Olabode’s blog.
1. PCI DSS: Payment Card Industry Data Security Standard
2. PA DSS: Payment Application Industry Data Security Standard
Chief Servant. I bully myself because I make me do what I put my mind to.