Information security is absolutely paramount in today’s digital world, particularly in the payments industry. Jack Tsigankov, Director of IT and Information Security at Payrix and 17-year industry veteran, recently shared some of his wisdom on the subject as a guest on the PayFAQ Embedded Payments podcast. Here are a few highlights you don’t want to miss.
In the payments world, information security revolves around safeguarding sensitive data from unauthorized access, unauthorized disclosure, and any alteration or destruction. As Tsigankov says, “It’s not only customer data. It also holds your company’s trust and credibility. Any breach or compromise could have far-reaching consequences.”
Financial loss is a big consequence of not making information security a priority. Tsigankov sites the IBM Data Breach Report that finds the average cost of a data breach reached an all-time high in 2022, rising to around $4.3 million. Twenty percent of those breaches were due to compromised credentials. The average cost for those breaches were even higher at around $4.5 million each.
How to prevent costly data breaches
It’s crucial for software platforms with embedded payments to implement a multi-layered security approach that involves constant risk assessment, threat mitigation, and compliance with industry standards and regulations. After all, you don’t need to only protect payments, information security will help protect your entire business.
Your success relies on having a robust information security policy in place. To give you an idea of what that looks like, Tsigankov recommends the following:
1) For starters, you have to have a clear understanding of your organizational assets and the data that needs protecting. Outline roles and responsibilities to define security measures and controls and provide guidelines for incident response.
2) Conduct regular training and awareness programs to keep employees informed and prepared, including active daily training on cybersecurity threats.
3) Control and monitor access for all users and regularly review permission levels.
4) Use strong password management tools, like LastPass or 1Password.
5) Try to keep all systems up to date and configure automated updates, including using tools like BigFix and Automock to automatically push updates to end-user machines.
6) Establish a strong cybersecurity policy tailored to departmental needs.
7) Utilize firewalls, antivirus protection, and Wi-Fi network security tools.
8) Avoid online use of your debit cards and secure your cell carrier’s SIM cards with PIN codes. It will help to avoid issues if the device is stolen or someone tries to take over your account.
9) Be cautious of unfamiliar websites and unloads.
10) Backup and protect your data with encryption and masking and control access to your systems. (See #3)
11) Consider perimeter security and restricting access to IoT devices, such as TVs, consoles, or displays.
12) Conduct regular security audits and penetration testing. Hire an external team to test your environment and uncover vulnerabilities.
Bottom line: Follow industry best practices
Frameworks like PCI DSS (payment card industry standards) or NIST (National Institutes of Standards and Technology) offer software companies a ready-made guide for developing their information security policies. If you go that route, Tsigankov says to choose one framework and try to implement all of its best practices in your ecosystem in your environment. By sticking to those best practices, you shouldn’t have any data breaches or vulnerabilities in the future.
But security protocols aren’t a one-time exercise. Ongoing vigilance is paramount to keeping your software secure.
For more insights from Tsigankov about information security and embedded payments, listen to the podcast here.
