Welcome to the PayFAQ Embedded Payments podcast brought to you by Payrix. As payments and software experts that eat, sleep, and breathe Embedded Payments we’re as passionate about you as you are about your customers. Each podcast episode will provide insights about Embedded Payments designed to help you feel the transformation and growth of your software business. You’ll learn from industry experts, Payrix customers, and leaders on the Payrix team about the latest trends, best practices, and real world guidance from payments experts to help you take your software platform higher.
Bob Butler
Hi, everyone. Welcome to the PayFAQ: Embedded Payments podcast brought to you by Payrix. I’m your host Bob Butler. And today I’m going to be talking with Jack Tsigankov, Director of IT and Information Security, all about the importance of information security. Hi Jack, welcome to the show.
Jack Tsigankov
Hi, Bob. Thank you for having me on the show. It’s a pleasure to be here.
Bob Butler
It’s really great to have you here today. Jack, can you tell the audience a little bit about yourself and your software and payments background?
Jack Tsigankov
Sure, as the Chief Information Security leader at Payrix I oversee end to end security, including business resiliency, IT operations, cybersecurity, data privacy, and secure software and product development. My journey in software and payments industry began over 17 years ago. I started as a software engineer and I’ve had the privilege of working with both startups and well-established organizations like JP Morgan Chase, Barclays Bank, and IKEA, which has provided me with a broad perspective on information security across various sectors including payment processing, ecommerce, and retail.
Bob Butler
Well, let’s dive into some data talk. Give us an overview of the world of information security and the importance of that.
Jack Tsigankov
Sure. So, information security is absolutely paramount in today’s digital world, particularly in the payment industry. It revolves around safeguarding sensitive data from unauthorized access, unauthorized disclosure, any alteration or destruction. And the significance of information security cannot be overstated. It’s not only customer data, but also holds our company’s trust and credibility. It’s worth it to mention that it’s a very continuous process that involves constant risk assessment, threat mitigation, and compliance with industry standards and regulations.
Bob Butler
Jack, can you talk a little bit about the risks associated with not making information security a priority? Tell us about what you see and hear not only in your role, but just as you act in the industry?
Jack Tsigankov
Yeah, sure. So neglecting Information Security can lead to severe consequences, and in my role, I often encounter the potential risks linked to our lack of prioritization of the information security. These risks include most often data breaches, financial losses, legal liabilities, it also involves reputational damage and loss of customer trust. In fact, if we look at identity theft Resource Center Data Breach Report that was conducted in 2022, there were around 1800 publicly reported data breaches in 2022. And it did impact over 420 million people. And this is an increase of more than 40% from the previous year 2021. That average data breach cost reached all time high in 2022, it was around $4.3 million. And this is relatively reliable information being provided by IBM Data Breach Report. And what’s fascinating is that compromised credentials accounted for almost 20% of those data breaches. And the average cost for those data breaches was around $4.5 million. So given the evolving sophistication of cyber threats and attacks that are constantly happening across merchants, financial industry – staying vigilant and proactive, and safeguarding the sensitive information, it’s an imperative.
Bob Butler
Well, if you think about our business, and we deal a lot with software companies and partners, can we talk a little bit about why data security and information security should be important to them?
Jack Tsigankov
Yes. Data Security and Information Security are not just important but absolutely critical for our partners in the payment industry. Our partners handle sensitive financial information and any breach or compromise could have far reaching consequences. Prioritizing information security not only protects our customers but also ensures our partners sustainability and compliance with regulations like PCI DSS (and PCI DSS stands for payment card industry standards) is not just a necessity, to be honest, it’s a competitive advantage and the foundation for the long-term success.
Bob Butler
You mentioned account takeover in one of the previous questions. But what are the top causes of breaches and your recommendations on how you might want to prevent them?
Jack Tsigankov
The leading cause of data breaches often include human error. It all starts with a phishing attack or it can be malware, it can be weak passwords or vulnerabilities in actual software or the system that the end user is using. To prevent them it’s crucial to implement a multi layered security approach. This includes conducting employee training and awareness programs, implement robust access controls, regularly update software, employ strong encryption methods when you store the data in a database or within while the user using an application, and continuously monitor for suspicious activities. Additionally, conducting regular security audits and penetration testing, you can hire an external team that can come and try to test your environment. It can actually help to proactively identify and address vulnerabilities.
Bob Butler
What would you recommend when a company is out there developing a robust information security policy?
Jack Tsigankov
Developing a robust information security policy is pivotal, and it should commence with clear understanding of organizational assets and the data it tries to protect. The policy should outline the roles and responsibilities to define security measures and controls and provide guidelines for incident response. Regular training and awareness programs should actually be an integral part of this policy to keep employees informed and prepared. Moreover, I would like to recommend top 10 security controls which include manage access, control and monitor access for all users, and regularly review the permission levels. Use strong password management tools like LastPass, or one password or any other tool that you like, increase employee awareness of cybersecurity threats, actively train them on a daily basis. Try to keep all the systems up to date, and configure automated updates. There are also tools available out there in the market called Big Fix or Auto Mocks that will help you to automatically push updates to the end user machines. Establish a robust cybersecurity policy tailored to the departmental needs. Utilize firewalls, antivirus protection, and WiFi network security tools. Avoid online use of your debit cards, and secure your cell carriers SIM cards with the PIN codes. It will help to avoid issues when the device is stolen or someone tries to take over your account. Be cautious of unfamiliar websites and unloads. Backup and protect your data with encryption and masking and control access to your systems. Consider perimeter security and even think of restricting access to IoT devices. These devices can be TVs, or about consoles, displays.
Bob Butler
Wow, you threw a couple out there that I hadn’t even thought of. I really appreciate that. So, as we think about Payrix, can you tell us a little bit about the cybersecurity controls that Payrix has in place, and how they should complement the information security policy of any of our software partners?
Jack Tsigankov
Certainly, at Payrix we actually take information security very seriously. We’ve implemented a comprehensive set of cybersecurity controls. And these controls include network segmentation, includes intrusion detection and prevention systems, encryption, access controls, and regular security audits. Pretty much all of these controls, they align with industry best practices and regulatory requirements that come from PCI DSS, sock two, SOC two NIST, HIPAA or WASP, ISO, then these are just the frameworks that are tailored to help businesses in this specific industry. So if we look at HIPAA, a framework of best industry practices tailored towards healthcare companies, PCI DSS tailored towards any company that does process credit cards. So, our approach complements our partners information security policies, creating a secure ACA system for the payment processing industry. We offer enhanced security features like multi-factor authentication, IP whitelisting, and we offer configuration settings that allow granular access control to ensure only trusted and authenticated users can access our platform. We work closely with our partners to ensure they understand and adhere to these controls, ultimately enhancing the overall security posture of our ecosystem, end-to-end security.
Bob Butler
It’s been really great having you here today. Any last pieces of advice you’d like to leave for a software company?
Jack Tsigankov
Yeah, just follow the best industry practices. They are all well published and articulated on public forums and official guidelines, try to pick one framework with say, PCI DSS that’s payment card industry standards, or NIST. This is government proposed best industry practices, and try to implement all of these best practices in your ecosystem in your environment where they live, working. And by sticking to those best practices, you should do all good, and you shouldn’t have any data breaches or vulnerabilities in the future.
Bob Butler
Jack, I really want to thank you for being on the show.
Jack Tsigankov
Yeah, thank you Bob for having me.
Bob Butler
Having spent quite a bit of time with you over the past few months. I know we’re both big believers in sharing knowledge and experience. So, we really appreciate you joining us today.
We want to be a trusted resource for software providers who are out there trying to make sense of embedded payments and finance and to help them get the education they need to make the business decisions their customers and investors will thank them for.
Thank you for joining us today on the PayFAQ Embedded Payments podcast brought to you by Payrix. For more information about Embedded Payments, subscribe to our show at Payrix.com/podcasts.