BankThink

Payment companies are dropping the ball on API security

A simple misconfiguration, a bug or abuse of API could compromise sensitive information cause major exposure and havoc as we saw with Facebook and Equifax.

The exposure is too high for companies to ignore. The cost of the breach remediation pales in comparison to the potential fine which could even pale in the comparison of reputation damage that an organization will suffer. Not all organizations can afford 8% or higher fine of their revenue, as most businesses do not operate at such high profit margins as an Equifax or Facebook and would be crushed by the fine alone.

A monitor displays Equifax signage on the floor of the New York Stock Exchange.
A monitor displays Equifax Inc. signage on the floor of the New York Stock Exchange (NYSE) in New York, U.S., on Friday, Sept. 8, 2017. The dollar fell to the weakest in more than two years, while stocks were mixed as natural disasters damped expectations for another U.S. rate increase this year. Photographer: Michael Nagle/Bloomberg

Companies will have to begin to weigh the risk and reward of doing the minimum and stepping up to a strong encryption and tokenization techniques. They will need to review and revamp their data privacy practices or start one if they do not have one. In these times, a business cannot stick their head in the sand and do nothing.

The primary measure companies should take is to properly encrypt or tokenize all PII data prior to sharing it with third-parties and cloud providers. Make sure encryption takes place before data is sent out to applications in the cloud such as Office 365, Salesforce, Dropbox, Slack, AWS and Azure. If you send the data out in clear and let cloud provider encrypt it then the data will remain in clear and vulnerable in most of their application and Internet facing modules except in the backend storage.

Organizations should select tools that automatically protect your sensitive information and keep it always protected. For instance, they should access all cloud applications via a cloud encryption gateways or cloud security brokers with automatic rights management and end-to-end data protection.

Encryption or tokenization needs to be done for all PII so they are confident that even in the case of a breach it will remain protected. It needs to be done before sharing the data with third-parties and sending it to cloud providers. Businesses should never share their encryption keys with cloud providers. Never store the keys on the same server as the encrypted data. That's not much different than leaving your car with the keys in it.

Data is becoming an important currency, business opportunity and reliance on data are increasing, and so is the exponential rise in data growth. However, storing personal information collected from end users is a liability.

The more you have, the greater that liability becomes. If you properly protect the information then you can turn this information into a big asset for your business. Organizations must be aware of the growing risk with their data and always protect user content, personal identifiable information (PII) and protected health information (PHI). With the growing number of regulations on data privacy of individuals exposing such data opens the organization to breaches, reputational damage as well as stiff penalties.

Businesses should assume that their digital data would be leaked in some capacity in future. They should ensure appropriate measures are always in place to keep the data always protected whether it's at rest, in use or with hackers. Data breaches cause major financial losses and sometimes businesses never recover from it due to stiff penalties, post-breach notification cost, forensics costs, and reputation damage.

It's hard to regain user trust unless an organization makes tenfold investment to change their culture and approach to user data privacy and, to deliver on their promises after such public punishment. Their business cannot afford to have another occurrence. They need to think proactively about different ways their platform can be abused and user content can be breached. It will take many years of hard work to fix the reputation hit. Many times that is more costly than anything else, businesses live and die by their reputation.

For reprint and licensing requests for this article, click here.
Data breaches APIs Payment fraud Facebook Equifax ISO and agent
MORE FROM AMERICAN BANKER