Securing the Future: Insights from DevSecOps Expert, Jeremy Smillie

Welcome to another insightful discussion on CloudTweaks. Today, we have the privilege of delving into the dynamic intersection of DevOps, Security, and Tokenization with a seasoned expert in the field, Jeremy Smillie. With over 17 years of IT experience, Jeremy acts as VP of DevSecOps for Exact Payments and is an expert in managing strict industry standards such as SOC, PIPEDA, CCPA, NIST, SANS, CIS, and more.

Jeremy brings a wealth of experience to the table, having been at the forefront of technological advancements in the payments industry. His journey began with pioneering work in Canada, where he collaborated on implementing EMV payments at gas pumps and integrating payments for in-store sales. Furthermore, he played a pivotal role in assisting merchants in achieving PCI-DSS certification during the early stages of its adoption.

Today, we’ll explore Jeremy’s insights into navigating the complexities of DevOps practices while ensuring stringent security measures and leveraging tokenization for enhanced data protection.

Jeremy, with the rise in payment fraud and the projected merchant losses reaching an alarming $362 billion in the next five years, could you start by giving us an overview of the current landscape of payment fraud and why innovative strategies are more critical now than ever?

With digital transactions on the rise and the use of more traditional payment methods such as cash decreasing, fraudsters are finding new and innovative ways to steal money. Unfortunately, new tools used to develop ground-breaking payment technology can also be used for nefarious purposes.

For example, in today’s world, it is relatively easy to spoof almost anything. The standard credit card we have in our wallet has a lifespan of three to five years. Using modern generative AI, it is very easy to create a credit card number generator script that can produce millions of card numbers, easily producing real card numbers over such a long lifespan.

When the fraudster runs test transactions to validate which card numbers are active, merchants are charged transaction fees, chargeback fees, and reversal fees. So even if the test transaction was only one dollar, multiplying these small fees by millions of test transactions adds up to amounts that can put some merchants out of business.

In response, we must go further than standard techniques such as velocity checks and CAPTCHAs.

We must act now to protect merchants from these attacks, developing different strategies that prevent bad actors from being successful.

For example, AI programs can watch over credit card transactions as they happen, checking them against large volumes of past transaction data to find patterns and actions that suggest fraud. This involves noticing strange spending habits, odd places where the card is used, and other warning signs that might show a card has been stolen or misused.

AI can evaluate how different things like gadgets, accounts, and internet addresses are connected to spot complicated fraud plans, like stealing someone’s identity or creating fake identities. This kind of analysis helps find groups of fraudsters and tricky scams that are hard to catch using older methods.

You emphasize a holistic approach to fraud prevention. Can you elaborate on how this strategy empowers businesses to better safeguard their transactions against the evolving threats in the digital payments space?

Fraud prevention starts from the ground up. All of the applications that are involved in the chain of custody of transactions need to be built with the highest security standards. The entire application supply chain must also undergo constant checks, not only at the time of deployment but throughout its entire lifecycle. The hardware that runs that software needs to be meticulously configured, patched, and validated continuously.

For example, let’s look at a small business that wants to open an online store. Most small businesses are unwilling to spend big money on a venture if they aren’t confident of a positive return. So what do they do? A quick Google search will show them many easy online store options like WordPress, WooCommerce, Shopify, and others. These platforms are easy to set up with intuitive user interfaces and allow businesses to get set up with a payment provider within about a week.

Though these platforms provide an all-in-one solution, there are still security considerations and responsibilities for the business. Leaving their online store on cruise control and not patching the software it runs on can allow attackers a foothold.

For example, if I don’t install updates for my WooCommerce plugin, it is easy for a hacker to target me. They can run a card testing script on my site, racking up transaction fees. Eventually, the real cardholders will start to file chargeback claims, resulting in fees of about $25 per claim. Add these fees to the cost of lost goods or services, and my business could be in real trouble.

This is why businesses must consider security from the onset and build it into every layer of their applications, hardware, people, and processes. Only by thinking of all potential vulnerabilities can businesses prevent attacks.

Employee Training and Fraud Mitigation: You’ve mentioned comprehensive employee training as a key component of your strategy. How significant is the role of employee awareness and training in mitigating fraud risks, and what are some effective practices you’ve implemented at Exact Payments?

Researchers from Stanford University and a top cybersecurity organization found that approximately 88 percent of all data breaches are caused by an employee mistake. Security isn’t just the job of IT. It is everyone’s job. Every employee needs to be armed to protect the company’s best interests, which is why we invest heavily in training curriculum.

Each employee must take online courses and pass exams when hired, including topics like phishing, social engineering, mobile device safety, and more. Training is even more comprehensive for developers who become well-versed in technologies like encryption, logging standards, PCI compliance, and SANS 25, a list of the top 25 most dangerous coding flaws.

Additionally, we routinely send fake phishing emails to test employees’ security awareness. Each person has a personal risk score that is calculated using a variety of factors such as job title, phishing test results, and completed training. We even have a competition going between departments to see which has the least risk as measured by these scores.

Regarding the use of innovative technologies like low-code payment forms and network tokenization, how do these technologies enhance the security and efficiency of payment processes?

We offer clients the ability to utilize embeddable UI components. This proprietary technology allows developers to build custom payment forms, or low-code forms, using comprehensive documentation and pre-written JavaScript components. This technology, known as ExactJS, allows us to deliver an efficient and straightforward process for developers.

The fields that collect sensitive payment data are hosted by Exact Payments and do not touch the client’s network. By keeping sensitive data off our clients’ systems, we reduce their risk of breach. This also reduces the workload for our clients who must maintain Payment Card Industry Data Security Standards (PCI DSS).

Network tokenization seems to be a ground-breaking method for protecting account holder information. Can you explain in more detail how this technology works and why it’s considered a significant fail-safe against information theft?

In order to understand network tokenization, let me explain tokenization in general. Tokenization is the process of replacing sensitive cardholder data with algorithmically-generated data, so no actual card information is stored or transmitted, only randomized characters.

As opposed to encryption, which can be decrypted with the correct key, tokenization does not allow reverse engineering to obtain the original data from the token. This makes it a more robust method for protecting data at rest.

A significant distinction between a tokenized transaction and a standard credit card transaction is the fraud prevention mechanism—a credit card uses a static CVV, whereas a token uses a dynamic CVV for every transaction.

As a result, payment tokens cannot be used by bad actors in the event of data loss or breach—making this technology a secure means of storing cards for future transactions, as is the case in many subscription-based businesses that process recurring payments.

Different types of tokenization exist, including gateway, processor, and network tokenization. Network tokens are created and ‘issued’ by the bank’s system (via the Visa or Mastercard network) rather than an external party, as is the case with gateway or processor tokens. The bank establishes the relationship between the token and the underlying cardholder account and can track all activity across the token lifecycle.

The end-to-end security journey that network tokenization offers by being issued by Visa or Mastercard greatly reduces the risk of losing sensitive card data due to malware, phishing attacks, and data breaches. Network tokenization replaces card data across the entire payment ecosystem, meaning that the token is only useful to those parties involved in the payment process who have the ability to detokenize the data. Intercepted tokens are nothing more than randomized strings of characters and are meaningless to fraudsters.

Network tokens are also capable of additional security measures such as biometrics, two-factor authentication, and behavioral analytics. This layered approach adds more barriers for a fraudster to overcome.

What’s more, some network tokens are created for single use or have a limited lifespan. Once used or expired, these tokens are invalid for future transactions and limit the opportunity for fraudulent use.

In our journey through the dynamic realm of data security, my steadfast commitment revolves around the notion that reducing data touchpoints is paramount. Network tokenization emerges as a guiding light in this pursuit, presenting a robust solution to our daily obstacles. The focus extends beyond safeguarding individual pieces of data; it encompasses establishing a secure ecosystem where every transaction is fortified against potential threats.

Challenges in Developing Secure Payment Systems: As the VP of DevSecOps at Exact Payments, what are some of the biggest challenges you face in developing and maintaining secure payment systems, and how do you address these challenges?

The first major challenge that I faced was employee adoption. It took about a year to get the development team on board with a security-first approach to design and coding. I believe the easiest part was finding vendors with solutions that integrate well into the software development lifecycle.

But when it comes to maintenance, we are challenged with constant supply change management where dependencies are constantly flagged as vulnerable. In security and secure coding, when a dependency is found to be vulnerable, it is not just a simple update to the latest and greatest version and ship it out. We need to research the vulnerability, how the vulnerability is executed, and if we have any process flows that execute the vulnerability.

If we do, then the investigation goes back even further. In this case, we need to know how long the vulnerability has existed and if it was ever executed. Then we perform an entire historical search to see if we were ever compromised by this dependency. With modern languages, the code dependencies equate to 90% of all of the code, while only 10% is uniquely developed.

With the growing trend of online shopping, how has the need for robust security measures in the digital payment space evolved, and what steps are being taken to meet these new demands?

The payments industry is not standing still. We holistically have the goal to protect our merchants and their customers. Just as we have transitioned from physical cards and static card numbers to the use of digital wallets and dynamic virtual card numbers, we’ve seen new and improved security technologies come to the aid of merchants.

In recent years, we’ve seen the inclusion of biometric security methods to protect digital wallet use. In terms of authentication, protocols like 3D-Secure and 3D-Secure 2.0 lead the way with more data points used to confirm cardholder identity in near real-time. Protecting data at rest and in transit has evolved beyond encryption to various forms of tokenization, with the latest and most secure being network tokenization. As long as criminals are defrauding cardholders and merchants, the payment security industry needs to work to stay one step ahead.

You advocate for a ‘security-first’ principle in development processes. Could you explain what this principle entails and how it’s integrated into your team’s workflow at Exact Payments?

We live by the security-first principles, also known as “shift-left security.” These refer to the philosophy and practice of prioritizing security in all aspects of business operations, especially in the development and deployment of IT systems, software, and services. This approach involves integrating security considerations into every stage of decision-making, development, and operational processes.

Over the years, I have developed a shift-left security culture with my development team. Practically, this means training them on the best secure coding practices and arming them with the tools to detect vulnerabilities in their code in near real-time. This prevents vulnerable code from being committed to our code repositories—91% of all vulnerabilities are fixed in the developer’s IDE before being committed to the repository. By using this process, we have increased the speed of development versus going back to fix vulnerabilities before deployment, and our fix rate is 99%,  which is 40% higher than companies that fix at the end of the development cycle.

The developers learn instantly what is right and wrong in terms of security, and they are less likely to make obvious mistakes moving forward. Additionally, when we follow our deployment pipeline, we ensure no vulnerabilities enter the environment.

Our developers are grateful and enjoy the processes and procedures we have for application development. Additionally, as we prioritize security, we factor in the necessary time for it within our project estimates. By implementing shift-left, we start on the right foot and far exceed any compliance standard.

Looking towards the future, what emerging technologies or strategies do you believe will play a crucial role in further enhancing payment security and fraud prevention?

Preventing fraud with authentication is one of the biggest opportunities to stop bad actors. Technologies such as biometrics and the secure enclave on our mobile phones combined with modern payment methods like digital wallets are the way of the future.

Using biometrics and a device’s secure enclave essentially links us to our mobile phones. Your face or fingerprint is stored in the secure enclave inside the phone and cannot be retrieved. So, your mobile device becomes an extension of your identity.

Further, combining mobile device security with modern payment methods such as digital wallets means we simply don’t have to send credit card information to complete payments. When you load a credit card into your Google or Apple wallet, it becomes a network token with dynamic attributes and a limited lifespan. Each time a transaction happens, a new CVV is generated.

This makes it infinitely more challenging for a fraudster to come up with valid card numbers to exploit. Without static numbers, expiration dates, and CVVs, the typical credit card script will no longer work.

Network tokens are also unique to the merchant or provider that issued them, meaning if Apple Pay generated the token, it can only be used for Apple Pay purchases.

Finally, network tokens cannot be decrypted and contain effectively useless data for fraudsters. With no actual numbers sent in transit or stored, the chance of a breach is almost eliminated.

Advice for Businesses and Consumers: Finally, what advice would you give to businesses and consumers to help them stay ahead of payment fraudsters and protect their financial transactions in this rapidly changing digital landscape?

For businesses managing numerous recurring payments, I highly encourage you to tokenize your card data. Engage in discussions with your payments provider to explore available options. If available, consider activating additional security protocols during authentication, such as Visa and Mastercard’s 3-D Secure.

For new business owners venturing into online payment acceptance, thorough research is essential. Embracing online payments becomes less daunting when you prioritize security measures and allocate resources for updating your website’s software and dependencies.

Lastly, your payment provider consistently works towards fraud reduction, regularly releasing updated versions of their APIs or dependencies. Invest time reviewing their release notes to understand the reasons behind product updates, as they might introduce features that could lead to significant cost savings for your business.

——————————

In closing, Jeremy’s insights shed light on the critical nexus of DevOps, Security, and Tokenization in payments. His proactive approach and practical advice, from tokenizing card data to embracing additional security protocols, offer businesses and consumers actionable strategies for safeguarding financial transactions in the digital landscape.

By Randy Ferguson