There is a disconnect between businesses and security professionals. Business teams tend to tiptoe around the Security talk, speaking in almost hushed tones about compliance, IS frameworks and authorization. The primary role of the business lead is to work with the development teams and get a product into the market as soon as possible. The primary role of the security guys, is to ensure that the development teams have employed the security best practices from the get-go. After all, it’s a lot easier to build from scratch than to renovate.
Disruption refers to a change in behavior. Behavior is steadily changing when it comes to payments but the concerns and fears surrounding security remain the same. Fears such as who has access to your sensitive information, if it can be manipulated and the overall concern as to what kind of financial security you have. Service providers across this entire ecosystem have a role to play when it comes to ensuring that they have completed their due diligence and are bringing you a product or service that is meets the highest technical and ethical standards.
Faiz Ahmad Shuja, a cybersecurity expert and CEO of Rewterz says that the only way to secure users and their devices is by making them more aware. Awareness against scams, phishing hacks and other behavior that attacks the weak human element in the mix. “The service providers don’t claim responsibility for any data or financial loss incurred to the customers while using online apps and payment portals,” says Faiz. This is a big part of why people are just more comfortable paying with cash – they don’t trust payment providers with their personal data.
Payments depend on a secure, technological infrastructure. Banks have been facilitating online payments since quite a while in that they have a robust infrastructure and their installations are relatively secure. To expand payment options from traditional to digital, traditional players have to be able to facilitate innovation and disruption by the fintechs.
Faiz says, “Their focus is more towards the feature set and launch of the app, but startups don’t give security best practices as much attention as they should in their initial development stages. Security is something that is an afterthought for them. Initially they don’t want to invest much on security.” And without regulations to, well, regulat startups and make them follow the security standards, the product rollout for market testing and feedback becomes a key benchmark that has to be met in the shortest possible time.
Because it is a regulated industry, there is a lot more clarity in where a traditional financial institution stores its KYC information; in the case of the fintech and their powerful app, this location seems to be at the discretion of the company itself. SBP is mulling over a regulation in this regard which will bound the companies in Pakistan to store all confidential and financial data on locally hosted cloud platforms.
Banks should carry out the security audit of the fintech they are partnering with, as they are bound to abide by the security protocol devised by the SBP. According to Faiz, “Many fintech startups are weak in terms of security because they don’t think about security at the time of developing an app. There are always best practices associated with security and if followed, they will be secure by design. Security concerns seem to begin when the customer starts interacting with the app. This is unhealthy for growing the user base and harms user confidence in the ecosystem.”