Financial institutions are influenced by a large number of regulators and their regulations. Also, banks and credit institutions must remain profitable and competitive. All this provokes an active update of the existing software. Legacy application modernization should be implemented both at the level of internal processes and for widespread use by the target audience.
Information security policies of companies
New market requirements reflect the trend towards strengthening regulation of information security and ensuring real security of financial institutions instead of formalism. For example, banks have the authority to promptly suspend suspicious transfers and temporarily block electronic means of payment if they are suspected of being compromised for a period of time until the circumstances are clarified. Grounds for suspicion:
• Coincidence of payment parameters with the database of fraudulent devices or accounts;
• Abnormal payment parameters, for example, amount and frequency;
• Unusual place of payment, etc.
The bank informs the client, asks for confirmation to resume making payments and, accordingly, either blocks or resumes the payment, makes recommendations to reduce the risk of similar situations.
PCI DSS
It is the international regulatory body for the security standards of the payment card industry. It contains several main sections for checking the security of systems:
- Protection of the computer network.
- Two-factor user authentication.
- Antivirus packages with regular updates.
- Configuration of information infrastructure components.
- Physical protection of information infrastructure.
- Control of the security of information infrastructure.
NFC contactless payments
The market is fluid, technologies are constantly transforming towards improving user experience. For example, contactless payment technologies (NFC) have developed rapidly, which carry new risks. The corresponding set of standards is regularly updated and revised. A complete set of PCI SSC standards covers all processes related to payment cards and payments – from the production of software and hardware, to ensuring the protection of transactions of the merchant.
3D secure
Separately, it is worth noting the 3DS security standard. It defines mechanisms for authentication of payment participants, security and protection against fraudulent transactions in the absence of a requirement for physical presentation of the card (Card-Not-Present, CNP), in particular, for payments on the Internet.
The standard adds an additional authentication step to CVV through a one-time confirmation code provided by the bank to the card user in an SMS message, Push notification or other method.
PSD2
The Payment Directive affects the implementation of online payments and, more importantly, the security of such payments. The aim of the new directive is to create an open banking system, creating a level playing field for all market players, large and small, and to make payments more secure by improving customer protection. The directive aims to reduce the likelihood of fraudulent electronic transactions.
PSD2, first of all, standardized the API for transferring data between banks and the payment system when a client makes an online payment, and, accordingly, between the organization of the payment and the target bank-client. The directive introduced security requirements: encryption of communications from / to the organization that initiated the payment, limiting the available fields of the payment data request.