Cyber Security - building trust and security in the future of payment

With rising online transactions and advanced fraud techniques, Dr. Carlos Nasher, Managing Partner at Thede Consulting, explores the opportunities and challenges of cybersecurity for banks and payment providers.

Between the dynamic poles of cyber security, regulation, and digitalisation, future drivers are having a major impact on today's payments industry. This article, the third in a three-part series, takes a closer look at the opportunities and challenges of cyber security for banks and payment service providers. The first article presented the current initiatives shaping payment digitalisation in Europe – the digital euro, while the second, analysed the impact of PSD3/PSR and DORA on the payments industry.

In today's world of digital finance, fraud prevention, and cyber security are key topics due to the increase in online transactions and more sophisticated fraud techniques. Banks and payment service providers are therefore under great pressure to meet customer needs, comply with regulatory requirements and strengthen their general cyber security policies. Dealing with these topics offers great opportunities, but also poses significant challenges that require extensive preparation. What impact do cyber threats have on the payments industry and what do they mean for banks and payment service providers?

Figure 1: Triangle of digitalisation, regulation, and cyber security in the payment industry

Cybercriminals are taking advantage of increasingly complex weaknesses such as API vulnerabilities, malware, and man-in-the-middle attacks and exploiting human failures through phishing, social engineering, and app fraud. Banks and payment service providers need a holistic approach that takes technical and human factors into account to respond to these threats.

To recognise threats at an early stage, a close collaboration between cyber security and fraud prevention teams is key. Technologies such as risk-based authentication, behavioural analytics, and fraud scoring engines are central to this. Banks and payment service providers need to find solutions that incorporate seamlessly with their core systems to ensure real-time detection and effective defence. Beyond that, regulatory requirements increase the need for action but also offer the opportunity to strengthen customer trust through higher security and transparent communication.

The most common technically driven cyber-attacks include man-in-the-middle-attacks, in which attackers interfere undetected in the communication between customers and banks in order to obtain confidential information. API vulnerabilities allow attackers to exploit ineffective secured interfaces to access databases or manipulate transactions. Malware and SQL infections are used to infect banks or end users' computers in order to gain unauthorised access to networks and data. On the other hand, fraudsters exploit human failure, such as phishing, where fake emails or websites are used to steal credentials. Social engineering manipulates employees or customers to disclose confidential information or carry out authorised transactions. Scams and Authorised Push Payment (APP) fraud trick customers into transferring money directly to fraudulent accounts by posing as trustworthy entities.

Figure 2: Overview of targets for cyber-attacks

To effectively manage the lifecycle of a fraudulent transaction, a four-phase approach is required: prevention, identification, detection, and resolution.

1. Prevention: Advanced security infrastructures such as firewalls, security protocols, and intrusion detection systems minimise technical failure.

2. Identification: Regular checks, monitoring of abnormalities, and marking high-risk transactions or users help to recognise potential weaknesses and areas of fraud. Algorithms and AI identify suspicious activities and unusual customer behaviour.

3. Detection: Monitoring tools, behavioural analytics, and fraud detection systems enable rapid detection of fraud in real-time or near real-time.

4. Resolution: Once a fraud attempt has been recognised, immediate action must be taken to reverse it and minimise the damage.

Cyber security teams protect IT infrastructures from unauthorised access and cyber threats, while fraud prevention teams analyse suspicious behaviour patterns and detect fraudulent transactions. The collaboration of both teams is crucial to effectively combat fraud caused by technical and human error. Regulatory requirements are forcing banks to strengthen their security measures in order to protect customer data and guarantee the integrity of their payment processes.

Figure 3: Comprehensive approach to fraud prevention

Compliance with regulations is essential to avoid sanctions and ensure customer trust. At the same time, banks and payment service providers must strive for better security, trust, and efficiency. These service providers face challenges in these key areas:

• Management, governance, and target operating model: Banks must adapt their structures and processes to constantly changing regulatory requirements. A gap analysis helps to identify weaknesses and develop steps to enhance their regulatory compliance.

• Process optimisation: Optimising internal processes is essential for preventive action against fraud. The implementation of prevention mechanisms and training programmes for secure payment processes is key.

• Technical implementation and project management: Banks need to introduce new authentication procedures to fulfil increased security requirements. The introduction of Strong Customer Authentication (SCA) procedures to increase the security of digital transactions is one possible solution.

• Provider selection and contractual arrangements: Banks often integrate external service providers for specialised fraud management solutions. Selecting the right third-party service providers and drafting contracts that fulfil regulatory requirements is crucial for preventing cyber risks.

Fraud prevention in the payment industry is complex and includes the implementation of technical and regulatory aspects into today’s systems and processes. Compliance with regulatory provisions requires detailed work and comprehensive expertise. Particularly detailed gap analyses for technical and regulatory requirements are key steps towards effective cyber security. Innovative solutions such as risk-based authentication, behavioural biometrics, and fraud scoring engines are essential to counter fraud risks. The selection of appropriate partners and product solutions is an important step here. Banks and payment service providers must analyse their status quo in terms of cyber security and decide how to position their strategic and operational approach in order to remain competitive in the market in the future.

About Dr. Carlos Nasher

Dr. Carlos Nasher is a managing partner at Thede Consulting. As an industrial engineer with a PhD in Data Science and over 10 years of experience, he is an expert in the innovative creation of digital payment processes and the development of cross-industry platform solutions, as well as in the areas of loyalty and programmable currencies. With comprehensive expertise in business models, products, and technology in payment and banking, his team delivers innovative ideas for decision-makers.          

About Thede Consulting

With over 30 years of experience within payments, Thede Consulting supports banks, payment service providers, and customers from industry, service as well as retail and wholesale as a first-class strategy and management consultancy. With our expert team, we advise both nationally and internationally active clients. We convince with our expert knowledge in the strategic development and implementation of innovative business models as well as digital processes and product concepts.