11Securing the cashless economy
1. Agile security practices: For
nancial services players, faster
development and roll-out of the
services will be a critical success
factor. Accordingly, all technology
development and refresh will
be delivered using an agile
development framework. Security
in this context can no longer be
a standalone post-facto toll gate.
Security assessment and testing
will need to be embedded into the
agile development life cycle. Agile
security testing methods based
on automation will have to be
adopted. In many ways driving, a
paradigm shift is needed in the way
security testing is undertaken today.
2. Securing the hyper-interfaced
environment: The new era will
call for hyper-interoperability across
different value chain players. In
order to enable this, each ecosystem
player will need to create multiple
application programing interfaces
(APIs). While this will deliver a
seamless experience to customer,
there is also a risk of malware
injection through such APIs. With
faster proliferation of interfaces,
protecting APIs will become
critical to ensure malware
and persistent threats do not
propagate through such untrusted/
untested APIs.
3. Next generation authentication:
In the new cashless world,
frauds will be driven mainly by
impersonation and will become a
daily affair. Accordingly, the need
for stronger authentication of
transactions will gain signicance.
The current techniques of
authentication based on location
and timing will no longer be
adequate. Adaptive authentication
will need to be embedded into the
heart of transaction processing.
Next generation authentication will
use triangulation techniques while
considering larger data sets including
the nature of transaction, merchant
type and transaction channel.
4. Protecting context-rich personally
identiable information (PII):
The new generation data marts
will not be limited to traditional
transactions and account-related
information but will have enriched
data insights such as spending
patterns, patterns of digital
platform usage, preferences and
other person-specic information
sets. In an integrated ecosystem,
such data sets may be stored,
transferred or shared with third
parties for revenue generation
opportunities. Both regulators and
organisations will be obligated
to invest in strong processes and
technology to prevent the misuse
of context-driven rich PII. While
traditional controls such as data
masking and encryption will need
to be enhanced, capabilities to
hunt down any misuse of PII will
have to be built by organisations.
5. Security of the new perimeter—
mobility: In the new digital/
cashless economy, mobility-based
solutions will continue to gain
prominence and, hence, security
concerns will no longer be limited
to the organisation architecture
boundaries. Mobility will form a
new perimeter of the organisation.
In order to ensure endpoint
security containerised apps with
built-in advanced persistent
threat (APT) capabilities will
have to be developed. Controls for
in memory data and additional
controls like device certication will
be considered. To ensure security
of data in endpoints, there may
be a requirement for guidelines to
dene the kind of sensitive data that
end devices retain. Hence, the next
generation nancial infrastructure
may involve the adoption of
advanced end-user device
management solutions.
6. High velocity identication,
containment and eradication:
Each consumer today is using
multiple platforms and using
services across the ecosystem. Any
threat that impacts such a user can
potentially proliferate and bring the
entire nancial services ecosystem
to a standstill. As the ecosystem
continues to be interconnected and
overlapping, cybercriminals will
try to exploit possible lapses and,
hence, strategies need to be built to
deal with such eventualities. Given
this interdependence on the all the
players of the nancial ecosystem,
it becomes crucial to identify
any anomaly at a pace which
mirrors real time or near real
time. Once an anomaly is identied,
containing it is of paramount
importance before it spreads and
crosses a point where the damages
have transcended organisational
boundaries and services. Response
strategies will have to be quick and
customised to meet various incident
scenarios based on situational
awareness. Further, these strategies
will have to be orchestrated across
own infrastructure and encompass
various digital partners and other
stakeholders.
7. Augmented ecosystem control:
The new age enterprises will adopt
the cloud for faster roll-out and
to address non-linear growth.
Technology partners could include
start-ups, garage shops and large
conglomerates, who come together
to deliver end products. The
security boundaries of the various
players will be extended to end
users, third parties and other
ecosystem partners. Security
controls will no longer be dened
in contracts limited to uptime and
resolution of vulnerabilities, but
will actually be embedded in the
partner ecosystem. The process
for monitoring of parameters will
also have to be integrated with
the company’s incident response
framework.
8. Ubiquitous awareness: TThe
cashless economy means that
the stakeholder community will
now not just be limited to internal
stakeholders but will also include
external as well as peripheral
stakeholders (like merchants).
With the inux of rst-time users,
users from various linguistic ethnic
groups and users of different
channels, the soft targets will
be multifold. The awareness
theme for tomorrow will thus
be multichannel, multilingual
and multicultural, and hence go
beyond the scope of traditional
programmes. Regulators may have
to start thinking across industries
and develop awareness programmes
that addresses this need. Social
media can be a key enabler to
propagate awareness.