Making online payments secure is not just about fighting fraud – it also makes good business sense, says APACS’s Head of Security Colin Whittaker. The defeat of fraud, as the banking sector migrates to conducting more and more payments online, is of critical concern to the industry and the consumer. Colin Whittaker is confident that the industry is up to this challenge: no bank’s payments systems have been cracked.‘I don’t believe anyone has ever broken into a payment system. I am not being glib by saying that just honest. Security is the primary asset in the banking industry.’ APACS has a major programme to keep abreast of potential new risks. It does, however, face the problem that the technological environment is always changing, with the goalposts continually being moved: ‘We are always having to appraise what new threats are out there and what assets need to be protected.’ Whilst it is easy to see how threats change over time, it is also important to recognise that the types of assets that need to be protected can change over time as well. For instance customers’ details and accounts have become a critical asset for the industry to protect with the implementation of the Data Protection Act 1988. Some of the risks the industry itself can’t do anything about. Instead, they have to rely on business to act in an appropriate manner: ‘Some SMEs deal with their payments in the same way as consumers – with credit cards and debit cards – and so face the same obligations and risks as consumers do with their cards.

As these businesses increase in complexity and size they face new challenges, especially from staff. They start becoming vulnerable to insider risks.’ Businesses use a range of payment systems and vehicles provided by the banking sector. These are being enhanced to action payments between businesses and between businesses and consumers in an online environment. Commercial online banking is similar to retail banking, only more sophisticated and with more services and capabilities. Colin says: ‘Businesses are being delivered a product that has security at the heart of it, but we must recognise that they are potentially being operated in an insecure environment. Businesses must be prepared to secure their own IT environment with as much attention as a consumer secures their own debit and credit cards in their wallet.’

There is a lot of guidance on internal controls such as the international security standard BS 7799 (www.ukonlineforbusiness.gov.uk/inforsec). This helps identify risks for business – whether they are physical or procedural. There is a whole raft of technological strategies that businesses can use to secure their electronic environment such as firewalls and unique user passwords, which are discussed elsewhere in this article. Credit cards such as Visa and Mastercard have also produced guidelines on, for instance, how to store customer information. The DTI is also developing a website to provide guidance to SMEs through the main UK Online for Business website: www.ukonlineforbusiness.gov.uk. APACS is supporting the development of this website. Colin says that the key for businesses (particularly those at the smaller end of the SME scale) is to weigh up the risks of a security breach compared to the assets that may be compromised. How business manages and implements security as it applies to their online payment systems is critical.

This boils down to balancing personnel measures, such as how employees are recruited and trained; procedural measures, such as the management of employee accounts, passwords, and how often systems are reviewed and audited; and technical measures such as patch updates and antivirus products to achieve cost-effective security. ‘Companies have to delve into the costs and benefits and make their own judgement call. They have to think about the broader costs and benefits vis-à-vis the fraud cost. It is too simplistic to say that security measure ‘A’ counters fraud ‘X’. Many security measures may also to act to streamline, simplify and cut overheads.’ He says that security can enhance the business, and this should also be taken into account when making decisions about security. For instance, with secure online banking a company can look at its cashflow on a daily basis and can see when it is more prudent to invest or when it is a good time to make particular payments. There is also the time saved. So security should be part of broader business decisions. On the horizon Colin sees the NewBACS programme, which is upgrading and modernising the direct debiting and standing order processing payment systems, having wider applicability than the current system, which will make it more useful for smaller companies and SMEs: ‘As the technology and security enhances there will be a lot more benefits to SMEs.’ The growth of plastic card payments, once they have been made more secure, will lead to savings for smaller SMEs who might normally use cheques for payments. Colin says: ‘The SME sector is one with a surprisingly high reliance on cheques. One of the reasons often given is the need for accountability, with many companies requiring two people to sign a cheque to make it valid.

However, in order for SMEs to achieve savings from using plastic payment cards they will need to determine what levels of internal accountability and trust their businesses need.’ He says the industry is already rolling out plastic payment cards that contain smartcards that will enhance their security for payments and other banking applications: ‘The industry is examining low-cost hand-held devices that can use these cards to generate one-time-only passwords, or offer a challenge and response mechanism that could be used in a range of financial applications. These devices are as small as the credit card itself.’ But it is not all rosy in the field of online payments and banks; businesses and consumers must continue to be vigilant, because as soon as technology is available to improve security, ironically, people try to break these new secure systems: ‘Attackers have become a lot smarter and we have to stay one step ahead of them. The technology they are using has become more capable and powerful. At the same time the level of complexity and sophistication of systems in day-to-day use by consumers and businesses continues to increase, unfortunately, because of this complexity, with hidden and unknown vulnerabilities that may only be exposed at some time in the future.’ APACS is the UK trade association of banks and building societies that exchange payments on behalf of their customers. It also has responsibility for the co-operative aspects of money transmission and other payments-related developments. For further information contact: Association for Payment Clearing Services, Mercury House, Triton Court, 14 Finsbury Square, London EC2A 1LQ. Tel: +44 (0)20 7711 6200; Fax: +44 (0)20 7256 5527.