Best Practices for Secure Digital Payments

Lance Homer

The world has become increasingly reliant upon e-commerce. E-commerce has disrupted traditional retail business, redefined consumer expectations and enabled products from around the world to be delivered to your doorstep. According to the Kleiner-Perkins Internet Trends Report for 2018, e-commerce sales for the U.S. reached $450 billion in 2017 and grew by about 16%. Despite all this vast growth, e-commerce represents only a fraction of the trillions of digital payments worldwide. Global non-cash payment volumes are expected to reach $726 trillion by 2020. Critical to the continued growth of these transactions are secure digital payments.

With more and more organizations using the cloud to host their applications, the scope of e-commerce and the volume of non-cash payments will continue to increase. The greatest growth will be found in developing countries where wireless communications and mobile devices are reaching even the remotest corners. The success of M-Pesa, Kenya’s revolutionary phone-based money transfer and microfinancing service, is one of the best examples of the way digital payments are transforming the globe.

Prime cyberattack targets

Unfortunately, the benefits afforded by e-commerce and digital payments are accompanied by ever-increasing threats of damaging cyberattacks. The 2018 IBM-sponsored study from the Ponemon Institute, Cost of a Data Breach, summarizes the financial damage resulting from the average data breach:

  • The average cost of a data breach increased from $3.5 million in 2014 to $3.86 million in 2018.
  • The average cost of a mega data breach involving a million records is estimated at $40 million, while the average cost of a mega data breach involving fifty million records is estimated at $350 million.

A recent Business Insider article lists major retailers that have been prime targets of recent breaches. In many instances, the hackers took advantage of flaws in payment systems.

Industry initiatives and government regulations

All parties involved in e-commerce transactions strive for secure digital payments. Their motivation for this is intrinsic: No organization wants to suffer the costs of cleaning up after a cyberattack or the reputational damage such an attack causes. In the battle against cyber threats, organizations like the PCI Security Standards Council and SWIFT have established standards and protocols for consistent and secure processing.

Government regulations, too, provide additional incentives to maintain effective cybersecurity strategies. The EU’s General Data Protection Regulation (GDPR) imposes stiff fines-up to 4% of annual global turnover or €20 million, whichever is greater-for violators who fail to protect the personal data of EU citizens. The EU has also implemented a second Payment Services Directive (PSD2), which is intended to strengthen customer authentication and simultaneously create a level playing field for payment services providers.

Despite all of these initiatives and government regulations, the growing technical complexity-multiple cloud providers, network carriers, mobile applications, data sources and devices-makes it increasingly difficult to secure data and transactions.

Cybersecurity spending on the increase

Organizations are taking a multipronged approach to the issue of data security by investing in identity access, infrastructure protection, network security and consumer security software. However, the foundation of cybersecurity is encryption of data at rest and data in motion. Data going into the cloud should be encrypted or tokenized as a matter of best practices, as well to be in compliance with an increasingly complex set of standards for personally identifiable information (PII) and payment card data. The vast number of devices, cloud providers, connections and payment environments presents significant challenges in establishing and maintaining security throughout the payment process.

Hardware Security Modules in today’s cloud environment

Hardware security modules (HSM) have been the tried-and-true method of managing the encryption keys critical to securing payment information. Payment companies traditionally have purchased HSMs and deployed them on-premises. Some cloud providers have implemented cloud-based HSMs. Each of these solutions has some challenges in today’s world of multicloud environments and global footprints, including the following:

  • The cost and logistics of buying traditional HSMs can be prohibitive to the deployment of new products or in new markets ahead of a revenue stream for them.
  • Cloud-based HSMs were originally designed for general-purpose use without necessary features for securing digital payments such as PIN encryption.

HSM as a Service

A new and innovative approach to managing encryption and tokenization of data is HSM as a Service, which provides HSM-grade security without the need for hardware. HSM as a Service is ideal for the multicloud e-commerce and payment environments of today. It incorporates capabilities, features and functions designed specifically to address the needs of secure, high-volume, real-time digital payments in cloud environments. HSM as a Service addresses these needs in the following ways:

Designed for multicloud environments

  • As a cloud-neutral service, it is quickly implemented and scales to meet the dynamic and cyclic payment processing demands across leading cloud environments such as AWS, Azure, Google, IBM and Oracle.
  • Supports Bring Your Own Key (BYOK) so the same key can be used across multiple clouds, ensuring only authorized users can access encrypted keys.
  • Available globally and can be co-located with other services for minimum latency and for storage of keys proximate to data across multiple cloud providers.
  • Provides options for alternative connectivity paths to ensure high availability of encryption key management services.

Highest level of data security

  • Built to ensure key material is never available in plaintext to any software component.
  • Provides complete data tokenization control in support of real-time payment platforms, with no need for third-party services that are vulnerable to account information breaches.
  • Cloud-friendly APIs to develop new applications with secure handshaking, passing tokenized data to gain secure access in compliance with data sharing regulations such as PSD2.
  • Keys that encrypt traffic between devices are never exposed in plaintext on the system memory bus or on any other physical interface.
  • Keys are maintained separately from encrypted data to provide the highest possible level of data security.

Optimum performance

  • Encryption keys can be located at the digital edge, close to the cloud, network providers, retailers and payment services to guarantee the fastest, most secure and lowest-latency interconnections.
  • Supports data sovereignty as required by GDPR, securely and optimally maintaining encryption keys and encrypted data in the country where data is collected or created.

HSM as a Service is the ideal means of managing encryption keys and providing tokenization in complex environments that support e-commerce and secure digital payments. Cloud-neutrality, on-demand scalability and co-location at the edge where e-commerce, population centers and digital ecosystems meet help organizations simplify encryption key management without sacrificing security.

HSM as a Service can securely generate, store and use cryptographic keys and tokens vital to secure digital payments. While encryption key management in multicloud environment can be complicated, HSM as a Service combines simplicity and robust protection to ensure secure digital payments.

For more insights on payment trends, follow Lance Homer on Twitter



Lance Homer
Lance Homer Global Head of Strategy for Electronic Payments