Dr Gavin Scruby,CIO,SmartDebit
Certain industries have significant restrictions on the way they process data. Some of the most common are defence, health, credit card and government. When these organisations process data, they have to comply with industry-specific regulations, which benefits us all. What some companies have not yet realised is that everyone now operates under a similar kind of regulation. This is of course the General Data Protection Regulation, most commonly referred to as GDPR, which now governs data protection across the EU. The UK government intends to write GDPR into UK law and stay largely parallel with the EU, so the caveats here will probably apply even in the case of a no-deal Brexit. While many people know that the GDPR affects how they should protect data, the breadth of impact on the data controller-processor relationship is often missed, and this can have catastrophic effects on business flexibility, and particularly on cloud migration.
Before getting into the consequences of this and how they could be managed, it’s worth looking at what controller and processors are, to see how they affect nearly everyone who offers a service over the internet. If you have a website and you integrate a card payment service, you are a data controller – you decide what data you collect from your customers (card details and postcode), why it is processed (to make a card payment) and who processes it (the card payment processing company). While you are the controller, the card company is your processor – it processes data from your customers to enable credit card payments to happen. This kind of relationship is more common than many people may think. In any situation where a company provides a personal-data processing service to another company, that service company becomes a processor. It could be an online CRM service, a bookings service, an online document storage service, even a paper document library (as GDPR applies to printed information too) – almost anything where the service provided stores or processes personal data for another organisation creates a controller-processor relationship.
The difficulty now is that GDPR puts a lot more restrictions on what a processor can do without the controller’s consent, largely because the controller now has many more obligations to check and control how data that it collects is used. This is only fair; if you are liable for data you’ve collected, you should have some say in what is done with it when you subcontract it to someone else.
A key restriction, and the one we consider here, is within the GDPR’s Article 28 Paragraph 2: “The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.”
The simple language interpretation of this is that as a processor, you can’t change your data subcontractors without explicit permission from your controllers (i.e. customers) – and that means all of them. This is difficult enough if you want to change standard suppliers, but the often neglected consequence is that it can also affect where you locate core data and whether you migrate to the cloud. Even if you rent rack space in a data centre (co-location hosting) and the data centre never “sees” unencrypted data, this is still classed as a sub- processor by the law. Consequently, any move to another data centre, or a migration to cloud, is considered a change in sub-processor, which therefore requires permission from all customers.
In practice, this could be extremely limiting. You would not want to attempt to arrange written authorisation from every customer when you want or need to move to the cloud. If nothing else, it could push back migration timescales by years. The most you would want to do is inform customers, with perhaps an early termination clause if they had a significant issue. This is not how contracts are being drafted, and not how the ICO recommends they are drafted. Standard clauses will be created by the EU or ICO in time, but these are not yet available. The ICO recommends contract terms of the form: before employing a sub-processor, the original processor must inform the controller and obtain its prior specific or general written authorisation. It is possible to draft contracts to contain general written authorisation or include clauses to allow early termination or assumed acceptance on non-response, but you’ll need professional legal advice to make these enforceable and legal such that they do not violate the GDPR.
The result of the introduction of the GDPR now means you need to do two things: firstly, make sure your own contracts are drafted to ensure maximum flexibility for you but in compliance with the law; and secondly, read sub-processor clause amendments made by customers very carefully. Here you need to discuss your specific circumstances with your legal advisors or industry body. If you just migrate to cloud without customer consent, you could fall foul of GDPR sub-processor limitations, and many more organisations and individuals are getting knowledgeable on their rights.
Don’t panic though. The GDPR has thrown up many situations like this and it is still very new, in case law terms. The GDPR is not intended to work in such a way as to stop dead industry-wide cloud adoption. Everyone is finding their way on these rules right now and the ICO seems to be taking a “carrot” rather than “stick” approach for those companies who are genuinely trying to improve data protection but still operate their businesses competitively. In time, consensus guidance will be developed, but until that time, we all have to be more careful about what we sign and even more careful about the contracts we write.
Dissecting the expansion of online checkouts
Daniel Kornitzer, Chief Business Development Officer
Card payments have long existed as the preferred payment method for online consumers. But in recent years we have begun to see a rise in the use of alternative payment methods. Although card payments continue to serve the majority, it is becoming increasingly clear that consumer preference is diverging rather than reaching a consensus. Across the globe local preferences have developed as eCommerce has grown, and across the global digital payments landscape card payments are being passed over for new ways to pay.
Alternative payment methods are on the rise as they address several of the hurdles which have prevented cards from achieving total rule over consumer preference for online payments. Here are four key reasons for this:
- Alternative methods offer a superior consumer experience, particularly when it comes to mCommerce. With the rise of new regulations such as Strong Customer Authentication and developments in Open Banking, alternative payment methods can be faster and easier to use for consumers.
- New payments methods such as crypto are growing in popularity thanks to a more attractive offering to consumers such as lower cross border payment fees.
- With the digitalisation of services forcing many customers to pay online for the first time and many experienced online shoppers looking for more secure ways to pay, the security of financial data is a major concern. Alternative payment methods can protect customer details by removing the need to share bank details at the checkout.
- Not all consumers have bank accounts or a debit card. By offering alternative payment methods businesses are enabling these customers to join the digital economy.
Businesses have been watching these trends closely and are constantly looking to improve their checkout experience for consumers accordingly.
The impact of COVID-19 on online payments
The need for businesses to expand their online checkout to meet changing consumer expectations is not a new trend. However, it has certainly been accelerated by COVID-19. The majority of businesses agree the pandemic has shifted consumer payment preferences, with alternative payment methods gaining in popularity.
Research shows businesses have seen more alternative methods chosen at their online checkouts with a greater percentage of consumers choosing digital wallets (57%), mobile wallets (39%) and eCash (28%). This has caused businesses to reconsider the way they understand payments, looking beyond traditionally methods to newer consumer friendly alternatives. With this is mind, reports suggest more than 60% of businesses are now making improving their checkout a top priority to fulfil the new high standard of consumer expectations.
Businesses are actively expanding their online checkouts
If we compare data from 2020 to 2021 on the payment methods offered or planned to be offered by businesses in the next one to two years, the trend is clear.
The number of businesses not offering or not intending to offer alternative payment methods is falling, as more and more start to recognise the importance of offering choice at the checkout. In the last year alone the increase in the adoption of alternative payment methods has risen dramatically, particularly crypto and eCash. As businesses begin to understand the urgency of upgrading the checkout experience, it is clear that alternative payment methods will play a key role in making this a reality.
Establishing crypto as a key player
One of the most interesting areas of payments which businesses should be watching is crypto. Research shows businesses are already backing this trend with almost half considering adding crypto as an alternative payment method as an immediate priority, believing it will help them reach new markets, and more than 50% already have confidence in crypto as the future of payments.
Diversifying the checkout as a form of defence
As well as offering a better customer experience and reaching new markets, businesses are expanding their checkouts with alternative payment methods to combat other familiar problems.
Most businesses see their current levels of cart abandonment as an issue, with research showing almost half have experienced an increase in levels of abandonment at the checkout in 2021. Businesses consider two of the most significant causes of this to be card declines and absence of the customers’ preferred payment method. Offering alternative payment methods is an effective way of tackling these problems at the checkout.
The rise of fraudulent transactions is also becoming a more pressing concern for businesses, with the number of fraudulent transactions increasing since the start of the pandemic. Diversifying the checkout with alternative payment methods can be used as a valuable strategy to lower fraudulent transactions.
Looking to the year ahead
2022 looks set to be another year where we will see businesses continue to adopt new payment methods at their online checkout in a bid to keep up with consumer expectations.
By working with a leading payments partner, businesses can benefit from access to a range of payment methods through a single API integration, allowing ambitious plans to become a reality in the year ahead.
All data from this article is taken from our recent research report Lost in Transaction: Finding competitive advantage at the checkout.
How bug bounty programs can help financial institutions be more secure
Rodolphe Harand, Managing Director at YesWeHack
Financial services have been one of the most heavily targeted industries by cybercriminals for several years. One alarming stat from the Boston Consulting Group found these firms to be 300x as likely as other companies to be targeted by cyberattacks.
Furthermore, the pandemic has led to a significant increase in the number of cyberattacks targeting financial institutions (FIs), with around 74% experiencing a spike in threats linked to COVID-19.
With FIs holding some of the largest collections of sensitive and private data, it’s clear they will remain an attractive target for malicious actors, especially as any data stolen can be used for fraudulent activities. This leads to the reputational damage of the financial entity that was compromised and has a knock-on effect in terms of monetary and reputational damage to affected customers.
For CISOs at FIs, the conundrum faced is how do you protect intellectual and customer data, and ensure accountability and transparency for clients and stakeholders, at a time when the pandemic has created budget constraints. Research from BAE Systems found that last year alone, IT security, cybercrime as well as fraud and risk departments had their budgets cut by a third.
Below we look at how bug bounty programs can help to address these pressing issues.
Protecting valuable data
Protecting customer and intellectual data has always been a top priority for FIs. However, as opportunistic cybercriminals have a lot to gain by stealing this valuable data, there is a constant evolution of threats, which means FIs must stay on their toes. By deploying a bug bounty program, FIs can work with ethical hackers that have a wealth of experience and unique skills when it comes to identifying security weaknesses within a FI’s defence, thus helping to implement effective security measures to help prevent data breaches.
Building trust among various stakeholders such as customers, suppliers and investors is critical for achieving business goals. By deploying a bug bounty program, FIs send out a message that they care about protecting the security of the data of those they work with – which in turn can have a cascading effect resulting in better business performance.
For FIs to win customers and keep them happy, amidst the growing threat of neo banks and customer-centric fintech organisations, speed of innovation is crucial. As such, many FIs have adopted an agile approach to build, test, and release software faster to bring online and mobile banking solutions to market quicker. However, this can create frictions between development and security teams. Security mandates are deemed to be unnecessarily intrusive and a cause of delayed application development and deployment.
Yet, with DevOps teams needing to build and deploy applications faster than ever before, an epidemic of insecure applications has emerged. According to Osterman Research, 81% of developers admit to knowingly releasing vulnerable applications, while research from WhiteSource found 73% of developers are forced to cut corners and sacrifice security over speed.
With developers often not having the time, tools, skills, or motivation to write impeccably secure code, there is an evident need to provide developers with more support when it comes to building applications securely Fortunately, bug bounty programs can provide a “fact-based” financial implication of inherent security flaws within the process. This makes it possible to hold development teams and service providers accountable for creating or delivering insecure products, thus addressing inherent security gaps within the business units and helping to drive continuous improvement.
Moreover, security awareness and education of developments teams can be improved significantly for those developers that are directly involved with the management of vulnerability reports for their bug bounty programs. This is because, the mere fact of exchanging information with ethical hackers, or assimilating the thinking of a potential hacker and having proof of concepts of vulnerability exploitation on their application components, naturally accelerates consideration of security early in the development stage and provides ongoing learning.
Get more return on your investment
According to Gartner, 30% of CISOs effectiveness will be directly measured on their ability to create value for the business. When security budgets are challenged, CISOs need to demonstrate business value through initiatives designed to enhance efficiency whilst stretching the dollar.
This is where bug bounties can help tremendously. Compared to conventional penetration testing, bug bounty offers a fast, complete, and measurable return on your security investment, with businesses only paying out for successful discovery of vulnerabilities. Equally, businesses get access to hundreds of ethical hackers that can test their programs, each with their own unique skillsets as opposed to only one skilled researcher testing the network. This results-driven model ensures you pay for the vulnerabilities that pose a threat to your organisation and not for the time or effort it took to find them.
Bug bounty programs also deliver rapid vulnerability discovery across multiple attack surfaces. With this approach, organisations receive prioritised vulnerabilities and real-time remediation advice throughout the process to accelerate the discovery of, and solution to vulnerabilities.
Another appeal of bug bounties is that due to the continuous nature of testing, more vulnerabilities are found over time as opposed to pen-testing. This is key to financial institutions that require agility to keep up with the continuous roll-out and updates of applications.
The cornerstone to a successful security programme
The risk posed to financial institutions by cyber threats will only continue, as evidenced by the number of data breaches seen in recent times. The COVID-19 pandemic has only exacerbated these risks, especially with almost all FIs having needed to shift to a remote working environment – which has only widened the attack landscape.
For FIs, a bug bounty program should be considered a fundamental cornerstone of any security strategy, with it being a modern-day cybersecurity solution that is well-equipped to tackle the immediate security challenges they face. In doing so, FIs will not only prove to customers and stakeholders their commitment to data protection and security but this will also be help them to avoid the monetary damages that could be imposed by regulators if a breach was to take place.
AI-Powered Fraud Prevention for Digital Transactions
By Martin Rehak, CEO of Resistant AI Fraud is on the rise, thanks to the rapid escalation of digital channels...
The future of retail trading
Joe Jowett, CEO of StrikeX The 2020s look set to be the decade of the retail trader. As the...
Dissecting the expansion of online checkouts
Daniel Kornitzer, Chief Business Development Officer Card payments have long existed as the preferred payment method for online consumers....
How bug bounty programs can help financial institutions be more secure
Rodolphe Harand, Managing Director at YesWeHack Financial services have been one of the most heavily targeted industries by cybercriminals...
Resolving the unintended friction of Web 3.0
Marten Nelson, CEO, M10 Networks Media is buzzing about Web 3.0 and the metaverse. Companies and investors are scrambling to get...
Predictions for Alternative Data in 2022
Neil Chapman, CEO of Exabel 2021 saw various firsts for alternative data. The $1.6bn flotation of SimilarWeb evidenced the...
Why Zero Trust and securing the supply chain is key to post-pandemic recovery
Jim Hietala, Vice President, Business Development and Security at The Open Group Banking and finance have grown to provide...
Five predictions set impact the finance teams in 2022
By Rob Israch, GM Europe at Tipalti The CFO now has a very different set of responsibilities in comparison...
Three ways to reduce uncertainty in financial services marketing
By Patrick Costello, Senior Product Strategy Director, Optimizely According to Bain & Company, uncertainty is one of the key factors affecting marketing...
Bringing Automation to Banking
Ron Benegbi, Founder & CEO, Uplinq Financial Technologies Automation is everywhere you look these days; from supermarkets to warehouses...
Why financial services is stepping into a new era
by James Mingard, Head of Retail & Finance at Maintel When comparing industries, financial services has arguably fallen behind when...
FINANCIAL MARKETS IN 2022: INFLATION, ENERGY PRICES, AND THE CONTRASTING PERFORMANCE OF STOCKS
Bob Jenkins, Head of Research, Refinitiv Lipper Anyone hoping for a reprieve from the chaos and uncertainty of the...
FINTECH TRENDS TO LOOK OUT FOR IN 2022 WHICH WILL CHANGE THE WAY WE DEAL WITH FINANCE!
Embedded Finance is estimated to be a $3.6 trillion market opportunity (Matt Harris, Bain Capital Ventures) Embedded Finance means it’s...
THE GREEN REVOLUTION IN INVESTING
It can’t be denied how quickly environmental sustainability has become a focus among everyday consumers, whether they’ve become noticeable through...
INVESTMENT IN INNOVATION: 2022 TRENDS AND OPPORTUNITIES
Author: Michael Kodari, Founder and CEO of Kodari Securities (KOSEC) Moving into 2022, while COVID is still front of...
HOW TO CONSOLIDATE INVESTMENT REPORTING OPERATIONS AFTER A MERGER OR ACQUISITION
By Andrew Sehulster and Abbey Shasore The reason why senior management make an acquisition is to compete better or...
FUNDING R&D IS STILL A PRIORITY FOR COMPANIES DESPITE THE PANDEMIC
By Emma Lewis, Myriad Associates HMRC regularly releases statistics that look at the numbers of R&D Tax Credit claims...
Mitigating the insurance risks of climate change through geospatial data visualisation
Richard Toomey, Senior Manager, Commercial Insurance at LexisNexis Risk Solutions UK and Ireland In the lead up to the...
From compliance to the metaverse: Investment trends to look out for during the year ahead
By Rami Cassis, Founder and CEO of Parabellum Investments In the investment world, the old saying, knowledge is power,...
NutreeLife triples production with finance from Siemens Financial Services
Plant-based snack manufacturer NutreeLife has massively increased its production capacity with the help of a hire purchase solution from Siemens...