Mike Vergara, vice-president of consumer risk management at PayPal led 25 security and risk professionals in a discussion about risk in the payments world as part of the Peer-to-Peer discussion at RSA Conference 2015 in San Francisco. Below is Vergara's notes from the session.
The attendees of Misconceptions of Risk in the Payments World provided a lively discussion and we all came away with new views on security when it comes to the future of payments.
Twenty-five security and risk professionals discussed emerging payments. We talked about Amazon Marketplace and how in the future, we will have refrigerators that know when an item needs to be replaced and will be able to order it for consumers and pay without anyone lifting a finger.
Payments are everywhere – so how do we mitigate risk when there are so many risk factors? In a world where a ton of information is already out there, and the volume is growing every second, it takes a multi-tiered approach. Many pointed out that there are different risk profiles for each device used. The actions taken for a mobile device are much different than those taken on a traditional computer.
We also discovered a fact about fraud in the payments space. Fraudsters will go after the weakest link, and sometimes that weakest link is the banks. We’ve moved away from having to actually be in the bank to verify transactions. Regardless of the method, we have to assume customer information is already out there, and plan to protect that information and protect our customers.
Speaking of customers, customers drive the market. And customers want convenience. They don’t want two-factor authentication. While it might be easier as security professionals to instate two-factor authentication when possible, the business will suffer. We have to find innovative solutions that only require one-factor of authentication. Or better, have seamless payments. The room agreed – that is where the future is headed.
When moving towards a more seamless payments experience, there are methods that can offer more security without sacrificing convenience. However, we can offer methods all day, and it won’t matter – we need people to adopt the methods.
The session ended on interesting idea – payments are becoming invisible. And while this is exciting, it also opens up a myriad of risk concerns.
Overall, the session had a direct takeaway to everyday life: we have to do our due diligence. Unfortunately, breaches are inevitable, so as members of the security space, we need to take all of the necessary steps to prevent data breaches, but also be prepared and have plans in place for when they do.