The first day of October marks the start of Cybersecurity Month. This year, we will publish a series of articles throughout October to help you understand and navigate cybersecurity challenges in 2023 and beyond.
In this first of four posts, we take a high-level look at the current state of cybersecurity and payments, some of the most notable and critical threats to watch for and what payment providers need to know to protect their businesses (and their merchants) from harm.
An Industry On High Alert
In its Payments 2025 and Beyond report, PwC found that 48% of industry respondents said cybersecurity was one of the top three areas of regulation they were most concerned about. In second place, 31% of respondents cited digital identity verification – a topic closely related to cybersecurity. Cybersecurity, data privacy regulations and ever-evolving digital threats topped PwC’s list of cyber-specific concerns.
Cybersecurity is top of mind for the payments industry, and for good reason: cybercrime is rising.
In 2022, overall cyberattacks increased by 38%. IBM’s annual Cost of a Data Breach report estimates that an average breach costs businesses around $4.45 million USD. Meanwhile, ransomware payouts have also nearly doubled since 2022, to over $1.5 million on average, according to research from Sophos.
Unfortunately, the trend in cybercrime (which the global pandemic accelerated) isn’t likely to improve. Statista’s Cybersecurity Outlook expects the global costs of cybercrime to explode between 2022 and 2027, from $8.44 trillion to almost $24 trillion.
The rapidly increasing digitization of payments and the value of data involved – like credit card numbers and payment service logins – make the industry a natural target for cyber attackers and fraudsters. So what kind of threats does the payments space face, and what do they mean for payment providers?
Key Cyber Threats for Payments Companies
In its Q1 2023 brief on cybersecurity, Mastercard broke prominent threats down into three easy-to-digest categories: continuing, amplifying and evolving.
Continuing cyber threats include:
- Highly professional, organized cyberattack rings
- Ransomware attacks, including ransomware-as-a-service
Amplifying cyber threats include:
- Targeting of insiders
- Third-party attacks
Evolving cyber threats include:
- Attacks on small businesses
- Attacks on new payment systems
Continuing Threats: Organized Hacking and Ransomware Groups
Although professional cybercrime has existed for decades, bad actors have increasingly turned it into a full-time profession. Companies must watch for not only small groups and lone wolves but also organized criminal organizations that treat cybercrime like big business.
Large, shadowy gangs, often known only by “threat actor identifiers” like APT32 and TA542, target everything from small businesses and utility companies to governments and card networks. Unfortunately, payment and financial data is often the target.
While direct data theft is a problem, many cybercriminals prefer ransomware. Criminals use ransomware to steal and encrypt a company’s data before demanding a ransom in exchange for its return. Because it’s so challenging to unencrypt stolen data, companies are often forced to pay the ransom (a practice discouraged by the FBI) or cut their losses altogether.
This practice has given rise to ransomware-as-a-service (RaaS) groups like ALPHV, the creators of BlackCat – a widely distributed and highly sophisticated ransomware system. RaaS puts advanced cyberattack capabilities in the hands of more bad actors. It also enables large groups to outsource their dirty work.
The proliferation of RaaS, combined with increasingly sophisticated and relentless social engineering attacks, has resulted in ransomware becoming the most significant cyber threat to payment companies and financial institutions today.
What it Means for Payment Providers:
Fighting major cybercrime groups means fighting an enemy with resources. These groups gain strength in numbers, enabling them to develop and deploy incredibly sophisticated software and identify and exploit even the most minor chinks in a company’s armor.
The best way to fight back is by equipping yourself with the right tools and safeguards. For smaller providers without time or budget to direct towards cybersecurity, joining forces with a well-established and mature payments partner will help ensure your systems are adequately secured.
Amplifying Threats: Breaching Systems From the Inside and Out
Some cyber attacks use brute force to get through a company’s defenses and access valuable customer data. However, most cybercriminals have learned how to work smarter instead of harder; they focus on the weakest links in the cybersecurity chain to find ways to exploit large, valuable targets.
Those weak links generally fall into two categories: insiders and third-party partners.
Insider attacks come in two varieties – unintentional and intentional. Unintentional insider exploits use social engineering tactics like phishing to fool employees into granting access to critical systems or data. Or they focus on accidental and negligent employee weaknesses, like a poorly secured ad-hoc home office network.
Intentional insider attacks result from employees deliberately assisting bad actors, either for personal profit, out of spite or, in some cases, as a result of blackmail. In either case, cybercriminals are amplifying their focus on insiders, with 74% of organizations reporting an uptick in insider attacks.
Third-party attacks are an even bigger problem. Third-party breaches occur when cybercriminals attack a target by exploiting one of its external partners. Software publishers are the biggest target. However, a report from the Ponemon Institute found that over half of respondents had fallen victim to a third-party attack, with connectivity between systems representing the most prominent risk.
The distance a third-party attack provides makes them particularly insidious, with the average time-to-discovery coming in at a shocking 287 days.
What it Means for Payment Providers:
Cybersecurity can’t be narrow in focus, especially in an industry like digital payments, where widescale connectivity is the norm. Whether it’s as simple as work-from-home access or integration with third-party systems, every connection matters.
The fewer third-party partners you have, the fewer weaknesses you must be mindful of. That makes finding security-minded, one-stop payment platforms more important than ever – especially when it comes to embedded software payments and in-app financial solutions.
Evolving Threats: Attacks on Smaller Businesses and New Payment Systems
While large, enterprise-level companies are lucrative targets for bad actors, they also have more robust security systems, making it challenging for all but the most advanced criminals to hack their systems and steal data. Because of this, some cybercriminals are shifting focus to easier targets like small companies and new payments systems.
Small companies are a ripe target for two reasons. First, they are less likely to have robust security systems, making them easy to exploit. Second, the proliferation of digital payments and RaaS means attackers looking to steal large amounts of data no longer have to go after big targets. Instead, they can simply deploy RaaS against thousands of small ones.
New payment methods are also a prime target because of how quickly the space is changing. New systems are more vulnerable than those with years (or decades) of use and testing. That’s true on the backend, the code and the user end. For instance, newer payment rails like P2P (peer-to-peer) and new systems like FedNow create ample opportunities for attackers to find vulnerabilities.
On the system side, there will always be bugs to work out. On the user side, a lack of familiarity makes social engineering easier. The rise of phishing and social attacks has caused an increase in authorized push payment (APP) fraud. Unfortunately, it may take years (or even decades) before users are as savvy with new rails like P2P as they are with keeping their credit cards secure.
What it Means for Payment Providers:
Targeting small businesses means that individual merchants are more vulnerable to cyberattacks. Payment providers must be ready to offer merchants the security they need without requiring them to do the heavy lifting themselves. Value-added services like tokenization, secure off-site card data storage and AI-powered fraud prevention are invaluable solutions.
Less mature systems carry greater risk. Evolving attacks on new payment systems mean that, as merchants demand access to the cutting-edge payment options their customers expect, payment providers must be ready to meet their payment security needs. Managing less mature payment systems by accessing them through highly mature partners (like NMI) is often the best and safest route.
Part 2: Why Payment Providers Must Protect Their Merchants from Cybercrime
Read part two of our cybersecurity month series to learn:
- Why cybercriminals are targeting smaller businesses
- Why payment providers must offer their merchants better protection
- The most important tools for preventing cybercrime (such as tokenization, off-site data storage and more)
- How payments providers can stand out and earn more