What has the CrowdStrike incident, which caused a global IT outage affecting millions of devices, taught us, and what steps need to be taken to ensure a secure payment landscape?”
Sarah Koch, director of marketing and communications at Aevi, a platform provider for in-person payment orchestration, delves into the vulnerabilities exposed by this global IT failure.
She examines how the incident revealed critical weaknesses in payment infrastructure worldwide and discusses how businesses can fortify their systems to prevent future disruptions, ensuring that digital transactions remain secure and resilient in an increasingly cashless world.
Sarah Koch, director of marketing and communications at Aevi
Only two months ago we witnessed the biggest global IT outage in history and with nearly nine million devices hit, digital transactions were affected worldwide leading both individuals and businesses to revert to cash.
This incident has highlighted weaknesses within the global digital payments infrastructure, an infrastructure that is more critical than ever as use of cash continues to decline.
CrowdStrike: A wake-up call
On 19 July 2024, a faulty software update from cybersecurity company CrowdStrike hit 8.5 million Microsoft-powered devices causing a ripple effect through global IT systems eventually crippling both software and physical devices far beyond the initial one per cent of Windows devices that were initially impacted. Crucially, payment systems all over the world reported failures and counting damages across sectors ranging from retail to banking.
This was a stark reminder of how our globally interconnected systems can succumb to ripple effects, eventually leading to widespread disruption. A wake-up-call for businesses who need to ensure that critical digital infrastructure such as payment systems are secured against cyber threats.
Although this outage, and the sheer scale of it, showed us how vulnerable global systems are to cyber threats, this is not an isolated incident: a significant number of cyber threats, both accidental and deliberate, are unfolding all the time causing massive disruption to individuals and entities alike.
Beyond CrowdStrike: The dangers of outdated infrastructure
This will come to no surprise, but the CrowdStrike incident is not the first time the payment industry was faced with disruptions and, although smaller in scale, some notable examples include:
The 2022 terminal provider outage in Germany, which affected major retailers such as Aldi, Netto and Rossman
The 2024 three-hour payment system outage in the Netherlands which hit around 40% of PIN-based transactions
Another 2024 UK system outage, which occurred shortly before CrowdStrike, first led retailers to approach card transactions with caution#
All the above-cited incidents had one underlying cause: an excessive reliance on rigid, inflexible systems that are ill-suited for today’s technological speed. Traditional payment terminals, designed decades ago although not unsecure per se, are lacking the required flexibility and resilience needed in our highly connected world.
These systems’ designs are also very complex and this is why many merchants have to rely on third party providers when it comes to handling most of their security protocols. This is especially true for small and medium-sized enterprises, which may not have the resources to employ their own IT department to handle system faults or malfunctions.
What can the in-person payment industry learn?
Probably the most evident learning from the recent CrowdStrike incident is that software updates should first be tested on a limited number of systems before being incrementally rolled out to others.
However, one less obvious takeaway is in regards to the inherent design challenge that these processes have which leads to an over-reliance on a handful of core providers. The excessive concentration of executive control and the rigidity of their processes can lead to single points of failure that, when compromised, can bring the entire payment process to a halt. So what do we mean by ‘process rigidity’?
Let’s take for example, the terminal and the processor, this is a one-way street communication and if either experiences a fault the entire non-cash transaction is no longer available.
It follows that the industry must diversify to offer more choice in payment systems, democratising access and distributing ownership. Such players can provide a highly flexible system that allows payments to flow quickly no matter what method is used whilst still being secure.
Solutions like SoftPOS (Software Point of Sale) are able to turn devices like our smartphones into payment terminals and provide a higher flexibility, however, it introduces security risks including data breaches and malwares.
Moving towards more secure in-person payments
In order to strike the balance between ‘openness’, flexibility and security, we need to focus on compliance and adopt high security protocols. Adhering to PCI DSS standards – through encryption, secure authentication, and device security – is crucial for mitigating these risks and ensuring safe transactions.
Point-to-Point Encryption (P2PE) secures card payments by encrypting sensitive data from the time of transaction until it reaches the payment processor, preventing interception by third parties. This also simplifies PCI compliance, and ensures that merchants never store cardholder data, making it essential for secure, in-person payments.
Crucially, in order to secure and modernise the payment infrastructure, in-person payment orchestration allows for more flexibility in choosing terminal providers and payment methods. Its managed micro-service architecture and open standards like ISO 20022 are able to reduce outage risks while empowering companies to efficiently manage devices and ensure seamless, secure transactions.
To conclude
There is no doubt, the future of payments is digital, but diversity and resilience are the only ways forward if we want our future transactions to be highly secure, however, in striving for much needed cybersecurity, businesses should not compromise on the benefits of an open world where businesses can operate easily across multiple jurisdictions and utilise many different payment methods as this makes life easy for businesses and their customers.
The post Strengthening Cybersecurity and Mitigating Financial Crimes in a Cashless World appeared first on The Fintech Times.
