Three’s a crowd: Third party security risks grow

Three’s a crowd, so the saying goes, but it could also mean fraud losses for banks and merchants if they’re not careful.

We’ve identified three types of third party security issues that need addressing.

Third party payment provider security

Facilitating new services like mobile payments can be done via two main methods – in-house or through a third party such as a mobile payment service provider who uses an Application Programming Interface, or API. But impending regulation changes mean banks won’t even have a choice about this risk. PSD2 means banks will have to open up their systems to third party payment providers (TPPs). The era of open-access API banking is upon us, but offering third parties a way into a bank’s systems is not without risks.

The European Banking Federation (EBF) pulled no punches in its assessment of the rule changes, stating that they “will be to the detriment of European consumers and the necessary protection of their bank accounts”. According to the EBF: “PSD2 framework is already partly obsolete and above all harmful as it requires the sharing of bank access codes with non-bank providers.”

Within PSD2 is the Access to Accounts’ (XS2A) rule, which forces banks to enable access to their customer accounts to third party apps. The EBF thinks this is a road to trouble and banks are worried also that liability for a fraud loss will fall on them, even if it’s the fault of the TPP. “The new directive makes banks potentially liable for possible irregularities or external attacks when consumers use third-party services,” the Federation said in a statement.

Third party vendor security

Moreover, banks are under pressure if they outsource tasks to third party vendors. Again this could be building a mobile payments app, but also includes everything from legal services to the firm running the HVAC system. The New York State Department of Financial Services (NYDFS) recently found a third of the 40 top banks it surveyed do not require vendors to notify them if they find a cybersecurity breach. Under half conduct an on-site assessment of their vendors, while a fifth do not require vendors to demonstrate they adhere to established minimum information security requirements.

Benjamin Lawsky, the top regulator, warned that “third-party firms can provide a backdoor entrance to hackers who are seeking to steal sensitive bank customer data”. The NYDFS is pressing ahead with new rules for banks to strengthen how they deal with third party vendors.

Third party merchant security

Moving away from banks and financial institutions, recent data breaches have highlighted the potential for third party security problems for merchants, too. In August last year, spurred on by some high-profile cases of stolen card details, the PCI Security Standards Council warned that “businesses are rapidly adopting a third party operations model that can put payment data at risk”.

It published fresh high-level guidance on how merchants can reduce this risk, but the problem remains. “Breach reports continue to highlight security vulnerabilities introduced by third parties as a leading cause of data compromise,” the PCI SSC said. The push for tokenization, which means merchants are not storing payment details, is a reflection of this fear about third party security, but it’s not the cure. Tokens simply reduce the value of the stolen data, not the fact that systems are compromised.

In all three cases, operating models need to be improved and reassessed. Common recommendations from regulators are for organisations involved to carry out due diligence checks, conduct risk assessments and ensure adequate reporting protocols are in place.

Written by Andy Brown

Andy Brown

Andy is marketing director for payments at NCR. He has nearly 30 years’ experience in e-payment systems from the delivery and support of systems in the Far East and Europe, from both the product management and marketing perspectives. Based in the UK, Andy is responsible for marketing NCR payment solutions.

Read more articles from Andy Brown
Our privacy policy has been updated. Click here to see the updates.