44% of requests were processed after detection of an attack during an early stage, saving the client from potentially severe consequences. These are among the main findings of Kaspersky’s latest Incident Response Analytics Report.

It is often assumed that incident response is only needed in cases when damage from a cyberattack  has already occurred and there is a need for further investigation. However, analysis of multiple incident response cases which Kaspersky security specialists participated in during the 2018 shows that this offering can not only serve as investigative, but also as a tool for catching an attack during an earlier stage to prevent damage.

In 2018, 22% of IR cases were initiated after detection of potential malicious activity in the network, and an additional 22% were initiated after a malicious file was found in the network. Without any other signs of a breach, both cases may suggest that there is an ongoing attack. However, not every corporate security team may be able to tell if automated security tools have already detected and stopped malicious activity, or these were just the beginning of a larger, invisible, malicious operation in the network and external specialists are needed. As a result of incorrect assessement, malicious activity evolves into a serious cyberattack with real consequences. In 2018, 26% of investigated “late” cases were caused by infection with encryption malware, while 11% of attacks resulted in monetary theft.19% of “late” cases were a result of detecting spam from a corporate email account, detection of service unavailability or detection of a successful breach.

“This situation indicates that in many companies there is certainly room for improvement of detection methods and incident response procedures. The earlier an organisation catches an attack, the smaller the consequences will be. But based on our experience, companies often do not pay proper attention to artifacts of serious attacks, and our incident response team often is being called when it is already too late to prevent damage. On the other hand, we see that many companies have learned how to assess signs of a serious cyberattack in their network and we were able to prevent what could have been more sever incidents. We call on other organisations to consider this as a successful case study,” said Ayman Shaaban, security expert at Kaspersky

Additional findings of the report include:

• 81% of organisations that provided data for analysis were found to have indicators of malicious activity in their internal network.
• 34% organisations exhibited signs of an advanced targeted attack.
• 54.2% of financial organisatons were found to be attacked by an advanced persistent threat (APT) group or groups.

To effectively respond to incidents, Kaspersky recommends:

• Make sure the company has a dedicated team (at least employee) responsible for IT security issues in company.
• Implement backup systems for critical assets.
• To respond in a timely manner to a cyberattack, combine in-house IR team as a first-line of respond and contractors to escalate more complex incidents.
• Develop an IR plan with detailed guidance and procedures for different types of cyberattacks.
• Introduce awareness training for employees to educate them on digital hygiene and explain how they can recognise and avoid potentially malicious emails or links.
• Implement patch management procedures to have software updated.
• Regularly conduct security assessment of your IT infrastructure.

But as the digital payments ecosystem continues to expand, it is becoming increasingly apparent that ‘payment tokenization’ solutions, such as network tokenization, can address the urgent need for increased security and reduced complexity, while promoting enhanced consumer experiences. Here Andre Stoorvogel, Director of Product Marketing at Rambus Payments, explains for Finance Monthly.

A short history of tokenization in the payments industry

Tokenization solutions can be broadly divided into two categories: security tokenization and payment tokenization.

Security tokenization (also known as acquirer tokenization or non-payment tokenization) approaches have traditionally been used to protect cardholder data and personally identifiable information (PII) stored in merchant databases. This is needed to enable popular consumer payment methods such as recurring billing and one-click ordering.

In comparison, PCI tokens are security tokens that comply with PCI guidelines to meet PCI DSS standards.

The publication of EMVCo’s EMV Payment Tokenization Specification – Technical Framework in 2014 marked the introduction of ‘payment tokenization’ to the ecosystem, and was followed by an update in 2017. The aim? To enhance the underlying security of digital payments by replacing primary account numbers (PANs) with unique EMV payment tokens. Network tokenization is a type of payment tokenization where the payment network plays the role of the token service provider (TSP) to generate tokens.

Although EMV payment tokenization found immediate success in securing in-store mobile contactless payments, Consult Hyperion predicts that it is online payments that will deliver ‘the real volume’. The question is, what differentiates network tokenization from security tokenization?

Delivering end-to-end security 

Proprietary security tokens are designed to protect sensitive information when it is ‘at rest’ within a merchant’s database after a transaction has been completed, reducing the risk and impact of a data breach.

The problem is, sensitive data is vulnerable throughout the entire payment processing chain. Not just at rest.

Neither proprietary or PCI tokens protect the consumer data while in transit or in use, introducing opportunities for fraudsters to hijack data through phishing attacks, malware and more. The rapid growth in card-not-present (CNP) fraud, despite ever-increasing investment in fraud protection, demonstrates a more fundamental, holistic approach to payment security is needed.

Below are three ways in which network tokenization can help meet those needs:

1. Securing data in transit

The main benefit of network tokenization is that card details are protected throughout the entire transaction lifecycle.

2. Domain controls

Network tokens can be restricted in their usage, for example, to a specific device, merchant, transaction type or channel. With the proliferation of new payment methods, such as online, IoT and voice, the ability to limit and control how network tokens can be used is key to preventing cross-channel fraud.

3. Reducing false declines

Since network tokenization protects card details throughout the entire transition lifecycle, issuers treat network tokenized payments as inherently more secure than non-network tokens. This can deliver numerous benefits downstream and address key pain points for merchants, by limiting fraud prevention spend, increasing approval rates and reducing false declines.

This trio of benefits are not the beginning, middle and end, however… there’s more.

4. Bridging the interoperability gap

As well as escalating security challenges, merchants must also deal with spiralling complexity.

Security tokens are limited to specific relationships, such as between a single acquirer and merchant. As the digital payments ecosystem expands, the burden of managing different proprietary tokens from multiple acquirers, payment service providers (PSPs) and gateways will become increasingly challenging.

The good news is that network tokens are globally interoperable across multiple acquirers and gateways. With the growth of omnichannel retail, consistency across different acceptance environments is a significant value-add.

We must also consider the backend impact. Security tokens are not formatted as routable PANs, so cannot be accepted as a like-for-like ‘replacement’. Network tokens are in the same format as a regular PAN, so can be accepted and routed along the normal payment rails without impacting the existing merchant systems.

5. Enabling value-added services

Hampered innovation is one of the hidden costs of fraud. Merchants want to spend their time, effort and resource on better consumer experiences, not tackling fraud.

It is true that security tokens can be effective in specific scenarios. Network tokenization offers more than just security, however, and can also be utilized to enhance the buying experience.

Digital card art to increase brand recognition, the ability to instantly refresh card details, push provisioning to enable consumers to keep track of where and when their payment credentials are being used. All these features complement the security proposition to increase convenience and reduce friction.

Network tokenization versus security tokenization?

Although often referenced interchangeably, it is apparent that security tokenization and payment tokenization solutions (such as network tokenization) are very different propositions. Both are effective solutions for their defined purposes, but we should look to network tokenization as a foundational technology enabling secure, simple digital commerce through end-to-end security, global interoperability across different acceptance environments and value-added services.

You visit your local bank branch’s ATM to withdraw cash or to print out a mini statement and you are met with a message informing you that the ATM is out of service. That is frustrating at all times but can be especially aggravating when there is no other cash machine available nearby. On the theme of banking resilience, here Alan Stewart-Brown, VP EMEA at Opengear, discusses with Finance Monthly the network issues banks are currently dealing with.

For retail banks, the issues and challenges presented by ATM network downtime are likely to be high on the agenda. Financial institutions are reliant upon a resilient network to ensure unique compliance requirements are met, address customer needs and adapt to evolving industry trends. ATM resilience is an important element of this.

Many banks have extensive ATM networks across the UK and often further afield. They may have an ATM in every town or city across the country, and in some places, they may be running multiple ATMs. They are likely also to have machines in many other more remote sites.  If they have network issues or outages, a large number of ATMs could suddenly be out of commission and that presents a huge range of issues and challenges to the bank.

Whenever ATMs go down, it will inevitably result in a loss of revenue and customers for the bank, as they switch to other providers. It is likely to also have a negative impact on a bank’s reputation and brand image. Less well understood, but equally important, it presents a security issue, as the engineer will have to open the ATM up while on site.

In the past, when an ATM went down, an engineer would be scheduled. Depending on availability; how remote the ATM was geographically and the severity of the problem, that could mean at the least hours or even days of downtime.

Even when the engineer arrived on site after a potentially long journey, fixing the problem might not necessarily be straightforward. The ATM may be owned by a third party organisation, not necessarily the bank itself. It may therefore be difficult to access because it is located in a building or facility belonging to another organisation and/or because the engineer’s visit happens out of normal working hours.

Finding a Solution

Banks with ATM networks need something that allows them to get these remote units fixed without having to waste engineering time travelling to the site and dealing with the security issues of opening the box up and the logistical issues that may be involved in gaining access to the ATM itself. They need a solution that can give them remote access when the network is up and running and also when it is down. And they need one that can allow them to power cycle the equipment within the ATM when the router hangs - a common problem in these environments.

These networks also need a solution that is vendor neutral on the equipment it connects to but also on the power equipment it can manage. An out-of-band management unit can be added to each ATM to reduce downtime to just a few minutes and bring them back up very quickly. It also negates the need for someone to physically go to the site, and most importantly removes the necessity for the secure opening up of the ATM.

Keeping Branches Up and Running

ATM failures are of course one key aspect of a broader requirement facing banks to keep their retail branches up and running at all times. At Opengear, we are seeing a growing demand for solutions that deliver network resilience from core to edge in financial networks. One of the top performing banks in the US recently needed an out-of-band solution for its multiple locations across the country. With the challenge it faced highlighted by a recent outage at a remote location, the bank wanted to reduce the burden of travelling to geographically-distributed sites, decrease downtime and ensure compliance requirements were met. It chose to deploy ACM7000 Resilience Gateways from Opengear at each branch location, paired with the Lighthouse Central Management System (CMS), also from Opengear.

Failover to Cellular (F2C) and Smart Out-of-Band (OOB) technology ensure security requirements are met while also providing access to infrastructure during a disruption, with an alternate path to the primary network using 4G LTE. In addition, the bank is able to deploy and provision new sites remotely.  It is a great example of the benefits of resilient access to networks in financial services when an outage occurs.

In summary, outages are bad news for banks and other financial institutions. ATM outages are arguably especially bad because they are particularly visible to customers; cause immediate loss of revenue and customer churn; as well as negatively impacting reputation and presenting a security risk. But they are inevitable because of human error, cyberattack, and the ever-increasing complexity of network devices, modern software stacks, and hardware devices. To keep consumers happy and the institution’s reputation intact, financial services must be prepared for outages. Smart OOB with Failover to Cellular can keep services running even when part of the network is down.

We are seeing an unprecedented shift in consumer spending habits. But this rapid growth is introducing new challenges. Fraud is rising, yet merchants are under pressure to deliver the seamless payment experiences that consumers increasingly demand.

Network tokenization is one of many technologies that online merchants are turning to in a bid to strike the right balance between high security and a frictionless buying experience.

But according to Andre Stoorvogel, Director of Product Marketing at Rambus Payments, we should not think of network tokenization as an optional add-on. Rather, it is a foundational technology enabling secure, simple digital commerce.

What is network tokenization?

With network tokenization, the payment networks replace a primary account number (PAN) with a unique payment token that is restricted in its usage, for example, to a specific device, merchant, transaction type or channel.

The question is, how is network tokenization different to existing third-party proprietary tokens?

The main (and crucial) difference is that network tokenization ensures that card details are protected throughout the entire transaction lifecycle. Non-network tokens don’t offer this end-to-end security, introducing weaknesses at various points for fraudsters to exploit.

Network tokenization also introduces improved credential lifecycle management to keep card details current, whereas proprietary tokens do not always have issuer permission to access and manage the underlying account data.

Finally, network tokenization opens opportunities for new, enhanced buying experiences across existing and emerging channels.

What are the benefits of network tokenization for online commerce?

To fully appreciate the unique value that network tokens bring to the payments ecosystem, we need to understand how they can address the key pain points for e-commerce merchants.

• Reducing the cost of fraud

We can’t get away from it. Online commerce has a fraud problem.

E-commerce fraud is growing twice as fast as e-commerce sales, with retailers set to lose $130 billion between 2018 and 2023.

We should not be surprised that one in two US merchants see fraud prevention as ‘an increasingly challenging task’. They are already spending $3.48 to combat every dollar of fraud (and this is set to rise with the global cost of fraud prevention increasing by 4% year-on-year).

And yet, the fraud rates keep on climbing. In a hyper-competitive industry where every cent counts, blindly throwing money at a problem is not a sustainable strategy.

The end-to-end security proposition of network tokenization significantly reduces the risk, and mitigates the impact, of malware, phishing attacks and data breaches. Put simply, tokenized card data is useless if stolen and for this reason, network tokenization should be the foundation on which a layered fraud management approach is built.

• Combatting false declines

Given the scale of the fraud challenge, merchants and issuers are understandably adopting a cautious approach. Transaction approval rates for digital transactions stand at around 85%, compared to 97% for in-store transactions.

This leads to a high prevalence of ‘false declines’, where a valid transaction from an authorized cardholder is rejected by the merchant. Often the cause is something simple, such as an outdated billing address, but the results can be incredibly damaging.

Globally, false declines cost merchants $331 billion. 66% of consumers stop shopping with a retailer after a false decline. Unnecessary declines outstrip actual fraud 13 times over. Most tellingly, US e-commerce merchants are losing a total of $8.6 billion to declines, compared to the $6.5 billion of fraud they are actually preventing.

Network tokens can increase approval rates to reduce instances of false declines. This is because card details are automatically updated and refreshed, making it less likely for an erroneous data point to raise a red flag. Also, tokenized transactions are inherently more secure so less likely to be viewed as risky.

• Enhancing the checkout experience

Despite the huge challenges posed by rising fraud, it is telling that 91% of merchants identify ‘minimizing the amount of friction introduced into the user experience’ as the main priority when evaluating their approach to securing payments.

Introducing additional friction into the checkout process, then, is a no-go. But as network tokenization reduces the value of the underlying sensitive data, it adds an invisible layer of security.

We must also remember that merchants want to focus on payment innovation, not fraud prevention. Network tokenization is more than just a security play, and can be used to enhance the buying experience.

For example, it enables consumers to see a fully branded card when checking out, rather than a mish-mash of starred credentials and the final four digits. This boosts recognition, familiarity and engagement.

It also enables payment details to be instantly refreshed when a card is lost, stolen or expires. Better still, it can enable consumers to keep track of where and when their payment credentials are being used. For example, card details could easily be push provisioned to merchant apps.

What is the industry roadmap for network tokenization?

Given the clear benefits, we are already seeing strong momentum for network tokenization for card-on-file transactions. And with EMV Secure Remote Commerce poised to debut in 2019, we can expect to see network tokenization extend to ‘guest checkout’ experiences.

There are options available for merchants and payment service providers (PSPs) looking to implement network tokenization solutions. For those with significant strategic resource, time and technical capacity, direct integration with the payment systems is an option.

Alternatively, for those looking to move quickly, qualified technology partners offer a fast-track to the immediate benefits of network tokenization (without the potential integration headaches).

From democratising data to driving value, blockchain has a lot of potential to improve on some of the credit industry’s greatest challenges. Here Alexander Dunaev, Co-Founder and COO at ID Finance, delves into how blockchain could disrupt credit agencies all over the world by providing a solution to address the broken and archaic data practices at the credit bureaus.

Blockchain is driving a paradigm shift in how we deal with data, rewriting the rulebook around approaches to data management, transparency and ownership. While digital finance is cutting the cost of serving the underbanked to drive financial inclusion, blockchain could offer a way of widening access to even greater numbers of consumers excluded from mainstream financial services.

Within lending, where we see blockchain having the biggest impact is on transforming the credit bureaus. The technology offers a much-needed solution to address the inefficiencies associated with data security, ID verification and data ownership.

Credit bureaus are not infallible

Although a number of new ways are emerging to determine loan eligibility, the largest banks and financial services providers still rely heavily on an individual’s credit history, sourced from credit agencies such as Equifax, Experian and TransUnion and its corresponding FICO score. Indeed 90 per cent of the largest US lending institutions use FICO scores.

The way in which credit histories are stored and accessed by corporates has historically made a great deal of sense and offered a multitude of benefits. It regulates how the data is stored, audited and accessed, and bestowing a government seal of approval provides the necessary level of trust among and consumers and contributors (i.e. the banks).

The severity of the recent Equifax data breach however – described by US Senator, Richard Blumenthal as ‘a historic data disaster,’ – where personal records for half of the US were compromised, exposed a number of critical flaws and vulnerabilities. Experian also suffered a breach in 2015, which affected more than 15 million customers.

In spite of the supposedly robust data storage safeguards, the hacks highlight that these databases are simply not safe enough and are certainly not immune from intrusion.

With first hand experience of dealing with multiple credit agencies across the seven markets ID Finance operates, I believe there are three key ways blockchain could address the inefficiencies associated with having a centralised credit system:

1) Reducing the costs and complexities associated with data verification:

Achieving a comprehensive view of a borrower’s financial discipline and credit capability requires extensive verification and evaluation throughout the lending process. This is both time consuming and costly particularly when multiple credit bureaus exist in a country.

As data isn’t shared among the credit agencies, each will inevitably hold a varying report of an individual’s credit history meaning we need to engage with all of the providers to gain a consolidated view of a borrower’s financial health.

The combined revenue of Experian, Equifax, TransUnion and FICO in 2016 was c. $15bn. These are the fees paid for mostly by the banks, to access the credit histories needed to carry out their day-to-day lending activities. In the most simplistic sense this is $15bn of fees and interest charges passed on to, and overpaid by the end user – via higher lending APRs – for the privilege of having access to credit.

At the same time the regulatory compliance surrounding the storage and distribution of credit histories creates high barriers to entry making the market oligopolistic and hence less competitive. It is hampering the ways and locations in which businesses can lend.

In short, we have a process whereby consumers are paying the steep price of having a centralised credit history facility, which isn’t immune to data breaches, while frequently creating hurdles for financial services firms to actually access the data. This process is broken and out-dated.

2) Blockchain as a key value driver in lending:

Blockchain – a tamper-proof ledger across multiple computers with data integrity maintained by the technological design rather than on an arbitrary administrative level – has the potential to address the broken and archaic data practices at the credit agencies.

Until recently there was no alternative to having a robust authority managing the credit database. However, it is precisely the lack of a centralised authority, which makes blockchain so suitable for the ledger keeping activity, and is what facilitated the most proliferated application of the technology within cryptocurrencies where reliability is key.

Storing the data across the blockchain network eliminates errors and the risks of the centralised storage. And without a central failure point a data breach is effectively impossible.

Without intermediaries to remunerate for the administration of the database, the cost of data access drops dramatically, meaning lenders can access the data without having to pay the ‘resource rent’ to the credit agencies.

3) Democratising data and handing ownership back to individuals:

As the data is no longer held in a central repository, ownership is handed back to the ultimate beneficiaries – the individuals whose data is being accessed. Borrowers will have constant and free access to their own financial data, which is rightfully theirs to own, and potentially monetise without the risk of identity theft and data leakages.

Blockchain can address the limitations of the credit system and boost financial inclusion as a result. The technology offers security, transparency, traceability and cost advantages, as well as achieving regulatory compliance and risk analysis.

While it may be too soon to predict the exact impact of blockchain in lending, what is apparent is the centralisation of the credit industry isn’t working. It’s time to rip up the rulebook and start afresh and blockchain offers a compelling solution.