The global financial technology (FinTech) industry is expected to reach $324 billion by 2026. This growth is fueled by skyrocketing e-commerce demand, the rise of social commerce, and increase of technologies and cryptocurrencies available. Technologies such as API, AI, blockchain and distributed computing are integral to this growth. FinTech companies can enable more convenient transactions as well as wider options and better visibility into asset management. Developed correctly, FinTech applications can greatly improve the security of financial assets. But what about the application security of FinTech software? What best practices can help ensure peak security in these fast-growing, ever-lucrative tools?
Wealthsimple, GoFundMe, PayPal, and Stripe are a few notable examples of FinTech companies. As the industry grows, so do risks associated with data protection and privacy. A famous example is the Equifax breach in 2017 in which personal information from 143 million US accounts was stolen via an expired encryption certificate and an unpatched known vulnerability in their website. Another example is the PayPal phishing scheme in early 2021 which attempted to impersonate the company and warn users that they needed to verify their identity.
Companies entering into the FinTech space need to be aware of the security risks affecting their application. One step to identifying known areas of vulnerability is understanding regional compliance requirements. While most regulations and policies don’t outline specific steps to mitigate risks, they do provide some direction on the types of data protection and privacy policies that need to be in place.
Below are some of the most well known regulations and policies to be aware of (please note: this is a non-exhaustive list and FinTech companies should research their own regional requirements):
The GDPR (General Data Protection Regulation 2016/679) controls data protection and privacy in the EU and EEA.
PIPEDA (Personal Information Protection and Electronics Documents Act) is a Canadian regulation on data privacy. Canada was one of the earlier countries to enact this kind of legislation, having enacted PIPEDA in 2000.
CCPA (California Consumer Privacy Act 2018) is a regulation specific to the state of California. It outlines controls that consumers in California have over the information that is shared with the company. Under the CPPA, FinTech companies to be extremely cautious over handling PII including social security numbers, government-issued documentation numbers (ie. drivers licenses or passports), financial information, access information to financial accounts, or any biometric data tied to the account.
PCI DSS (Payment Card Industry Data Security Standard) is an international information security standard that applies to any merchant accepting credit cards of any size.
Once aware of the standards for data protection and privacy, FinTech companies should take an active approach to securing their data. Below are three best practices that FinTech companies should be employing.
Data encryption is beneficial when compliance requirements determine specific sets of data that need to be secured. For example, the CCPA states that when a data breach occurs, any stolen PII must have been in non-encrypted and non-redacted form for a consumer to be able to sue a business.
Many believe that data encryption is binary. Encrypted? They’ll think you’re fully secure. Not encrypted? They’ll think you’re fully at risk.
In reality, data encryption can be employed at four different layers:
Encrypting at a higher level secures more layers and boosts the application security. As such, encrypting the application layer actually encrypts data across multiple layers, including the disk, file, and database layers. While this does improve security, it also increases deployment complexity. Appropriate development effort is needed to successfully integrate data encryption at the application layer.
In addition to data encryption at the application layer, tokenization and format-preserving encryption can also be beneficial solutions.
Role-based access control (RBAC) is one of the most popular approaches for advanced access control as it restricts network access based on a user's role within the organization. As such, only specified members can see sensitive data that is relevant to their work. Common types of RBAC include billing access for accounting teams, technical access for IT teams, or administrative access which usually offers full-access to the system.
For PHI and PCI data compliance, properly implementing RBAC prevents sensitive data exposure to unauthorized users. As one of the OWASP Top 10 security risks, broken access controls can lead to unauthorized administrative host/application access, which is a critical-level vulnerability.
Security testing through both manual and automated approaches is beneficial for ensuring the security of your application. Having proof of your security is needed for earning compliance, securing investor appeal and closing enterprise deals.
Some common testing forms include:
Here is a short guide to compare various testing options. When considering a testing option, consider factors such as:
FinTech is booming, but continued growth can only happen with applications that are secured against bad actors. Growing risks in unauthorized access, security misconfigurations, data integrity failures and identification failures can all slow the growth of FinTech applications who are trying to make their place in the market.
The best approach is starting security practices early, and revising them often. Attackers are creative and often find new, impactful ways to breach a system (hello, Log4J).
Talk to us about penetration testing, and how we can keep your application secure year-round against top vulnerabilities.