Breaching the New Frontier in Payments Security and Compliance Automationby Johanan Devanesan December 5, 2023
The complexity of the fintech sector is increasing with sophisticated fraud schemes and personal data compromises, counterbalanced with breakthroughs where automation in payments security and compliance automation are catching up, and playing a pivotal role in how digital fraud will be handled in the years to come.
Solutions like automation and DevSecOps (a development, security, and operations framework) can play a key role in overcoming regulatory and compliance hurdles, as demonstrated in the recent “Fintech Innovation – Security & Compliance Automation” seminar hosted by Secure Vectors Information Technology Inc.
The three-session seminar saw Secure Vectors’ own Vincent Huang, a compliance specialist, Scantist Head of Engineering Ding Sun, and PCI security standards authority Lai Seow Yong all underscore the rapid growth and evolution of advanced security and compliance measures within the fintech sector, particularly in digital payments.
Each speaker highlighted the increasing sophistication of cyberthreats, especially in the context of open-source software and payment systems, making robust security measures more critical than ever.
AI & the Imperative of Automation in Streamlining Compliance
Vincent Huang, Head QSA at Secure Vectors Information Technology Inc., was a keynote speaker. With his two decades of auditing experience, Vincent brought to light the intricacies of compliance automation in fintech, in his session entitled “Innovations of New Payments and Compliance Automation”, underscoring the complexity and the dynamic nature of compliance requirements in this fast-evolving sector.
A significant part of Vincent’s discussion centered on artificial intelligence (AI) and its effectiveness in compliance automation. He illustrated how AI plays a crucial role in identifying system security flaws and analysing data to prevent fraud, emphasising its ability to detect unusual access patterns and potential security threats.
The seminar explored the layered challenges of compliance, highlighting the difficulty of keeping up with extensive and continually updating regulatory mandates. Vincent pointed out that the volume and complexity of these requirements necessitate a strategic and systematic approach.
Vincent argued that managing compliance without automation is an overwhelming task. Given the extensive nature of compliance requirements and their frequent updates, automation is essential, not just beneficial.
A Multi-Dimensional Approach to Tackling Compliance Automation
He elaborated on several key aspects of effective compliance automation: grasping regulatory requirements, allocating responsibilities and scheduling, continuous monitoring and thorough data analysis, cooperation with compliance auditors, and implementing visualisation tools and dashboards for real-time compliance monitoring and management.
In his concluding remarks, Vincent predicted that compliance automation, driven by AI and advanced monitoring tools, will increasingly become essential in the fintech sector. He highlighted the role of Secure Vectors Information Technology Inc. in this evolving landscape, offering specialised services to support companies in effectively managing their compliance needs.
The Rising Importance of DevSecOps in Fintech
Vincent acknowledged the increasing sophistication of cyber threats, especially in the context of open-source software and payment systems, making robust security measures more critical than ever. This dilemma was further highlighted by the next speaker, with DevSecOps mooted as the likely solution, in the next session entitled “Mitigate Open Source Security with DevSecOps.”
Ding Sun, the Head Engineering at Scantist Pte. Ltd., emphasised the critical role of DevSecOps in bolstering security for financial institutions. He highlighted how the latest PCI DSS guidelines underscore the need for securing third-party components, a focal point in the session.
Understanding the Open Source Risks and Challenges
Ding Sun brought attention to the burgeoning risks in application security due to increased reliance on open source software, which he described as “eating the world”. The integration of open source components, while simplifying development, has led to a dramatic increase in vulnerabilities, particularly in the context of the COVID-19 pandemic, which accelerated the digitisation of services.
Ding Sun noted that open source software faces multiple threats, including compromised packages and a complex supply chain. He highlighted the risks associated with licensing, citing the example of copyleft licenses which require users to open source their code if they use licensed software. This poses a significant challenge, especially in industries like automotive, where open source is prevalent.
Ding Sun also touched on the impact of AI on software development and security, noting its speed and efficiency but warning against its lack of defensive coding, leading to potential vulnerabilities. He stressed the importance of defensive code to mitigate risks in AI-generated software.
DevSecOps: A Solution to Open Source Security
The heart of Ding Sun’s presentation was the concept of DevSecOps, which integrates security considerations into every stage of software development. He underscored the need for a change in mindset, where security is merged with application requirements. This integration is crucial for protecting assets and ensuring code security.
Ding Sun discussed various tools essential for DevSecOps, such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA). He also mentioned the role of AI in refining these tools, reducing false positives, and providing more accurate results.
Tools and Holistic Strategies for Effective DevSecOps
Like the rest of the event, automation was a key theme in Ding Sun’s talk, describing how integrating security tools into the CI/CD pipeline can automate the detection and remediation of vulnerabilities. He also explored the potential of customising tools using technologies like GPT for specific organizational needs.
In conclusion, Ding Sun advocated for a comprehensive approach to open source security, which involves not just tools and technology but also cultural shifts within organisations. This approach includes prioritising the security of components used, applying patches effectively, and creating a secure, controlled environment for software development.
Enhancing PIN Security with TR-31 Key Block Standards
As Ding Sun pointed out, a recurring theme at the seminar was the need for compliance with evolving regulatory standards like PCI DSS. The speakers placed much emphasis on how regulatory compliance is no longer optional, but a critical aspect of fintech operations.
Lai Seow Yong, the APAC Technical Pre-sales Manager at Utimaco Management GmbH, focused the last session of the day on an often-overlooked facet of compliance in security standards, PIN security and the use of “key blocks,” encrypted symmetric keys.
Seow Yong’s topic “PIN Security – New Standard TR-31 (Key Blocks)” focused on the evolution, importance, and implementation of TR-31 key blocks in the fintech industry.
Compliance Driving Key Block Adoption
Seow Yong traced the origins of key blocks, a concept developed by Susan Redford and later standardised by ISO and ANSI — highlighting the significance of key blocks in adhering to compliance mandates, particularly in the realm of PCI compliance and High-Speed SECS Message Service (HSM) technology.
A major thrust of Seow Yong’s talk was the role of compliance in driving the adoption of key blocks. He detailed how PCI compliance requirements necessitate the use of key blocks in various phases of payment processing systems, emphasising that adherence to these standards is as crucial as the implementation of advanced technology.
Detailed Understanding of Key Blocks
Seow Yong explained the transition from traditional key storage methods to key blocks, which encapsulate key data with metadata, specifying the key’s purpose, algorithm, and usage. This modern approach significantly bolsters the security and integrity of key information.
He discussed key vault aeration and key protection — essential aspects of key blocks. This involves encrypting the key with another key, usually through an algorithm, thereby adding an additional security layer. This method ensures the security of key blocks even if part of the system is compromised.
Delving into the technical aspects, Seow Yong outlined various formats of key blocks, their sizes, and technical mechanisms. He maintained the importance of robust key derivation mechanisms and their integration within HSMs to provide heightened security.
Effort and Migration Concerns
Seow Yong reassured that the effort required to implement key blocks is often comparable to traditional methods, especially with modern HSMs designed to support them. He also discussed migration from Triple DES to AES (Advanced Encryption Standard), advising consideration of AES for enhanced efficiency and security.
In his closing remarks, Lai Seow Yong emphasised the necessity of comprehending the ‘why’, ‘what’, and ‘how’ of implementing key blocks. He encouraged participants to consider the broader implications of adopting key blocks, focusing on compliance, security enhancement, and future-proofing their systems in the ever-evolving fintech sector.
Looking Ahead: Security and Compliance Automation in Fintech
Altogether, the sessions at “Fintech Innovation – Security & Compliance Automation” revealed a trend towards integrating advanced technologies (like AI, DevSecOps, and TR-31 key blocks) into fintech operations to enhance security and streamline compliance processes.
Throughout the seminar, there was a clear emphasis on finding a balance between rapid technological innovation in fintech and maintaining rigorous security and compliance standards. Compliance automation can be a major facet of implementing this balance, harnessing the best of tools like AI to persistently monitor and manage systems, replacing manual processes with rigorous compliance workflows that are automated to monitor, self-assess, and plan corrective actions securely, without the drawbacks of human error.
In essence, the seminar as a whole underscored the urgent need for adopting new technologies and automation strategies to navigate the growing security challenges in the fintech sector, especially in the critical evolving space of compliance management.
Click here to download the resources shared at the seminar to gain more insights.