Mitigation of Cyber Risks in the Field of Electronic Payments: Organizational and Legal Measures
Abstract
The issues of ensuring the electronic payments’ security are currently in the limelight of participants in the monetary system and the scientific expert community. The goal of this paper is to develop organizational and legal measures aimed at improving the security of electronic payments in the Russian Federation.
Research methods include the analysis of retrospective data describing the development of the payment system and electronic payments using bank cards, as well as the method of statistical observations and analysis of secondary data from surveys of Russian and foreign companies covering the information security.
Through solving the research problems, the author managed to draw a number of conclusions:
- Dynamic development of the electronic payment system causes the growth of cybercrime and cyber risks in payment systems;
- Despite quite active actions of state bodies and the Bank of Russia, the legal framework and infrastructure for electronic payments are still in the development stage;
- Cyber attacks cause significant damage not only to financial institutions, but also to companies from a non-financial sector, as well as to ordinary citizens using electronic payment systems.
In the opinion of the author, the key organizational and legal measures aimed at mitigating cyber risks in electronic payments may be measures to form the centralized payment infrastructure of the Bank of Russia, introduce the corporate cyber threat management systems, improve policies and procedures for the protection of personal data at the corporate level, as well as train the employees in the field of information security of electronic settlements.
References
[2] 2016 Norton Cyber Security Insights Report. https://us.norton.com/cyber-security-insights (accessed 10.01.2018).
[3] Annual report of National Card Payment System JSC for 2016. http://www.nspk.ru/about/investor-relations/disclosure/annual_reports (accessed 10.01.2018).
[4] Au, Y.A., and Kauffman, R.J. 2008. The economics of mobile payments: Understanding stakeholder issues for an emerging financial technology application. Electronic Commerce Research and Applications, 7(2), 141-164.
[5] Central Bank of the Russian Federation. Report of the Financial Sector Computer Emergency Response Team of the Directorate General for Security and Information Protection of the Bank of Russia.
[6] De Reuver, M., and Ondrus, J. 2017. When technological superiority is not enough: The struggle to impose the SIM card as the NFC Secure Element for mobile payment platforms. Telecommunications Policy, 41(4), 253-262.
[7] Decree of the Government of the Russian Federation dated November 1, 2012 No. 1119 ʼConcerning the approval of the requirements for the personal data protection when processing them in personal data information systemsʼ.
[8] Decree of the Government of the Russian Federation No. 584 dated 13.06.2012 ʼConcerning the approval of the Regulation on information protection in the payment systemʼ.
[9] Dmitrienko, A., Noack, D., and Yung, M. 2017. Secure wallet-assisted offline bitcoin payments with double-spender revocation. ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security, Abu Dhabi, United Arab Emirates — April 02 – 06.
[10] D'Orazio, C.J., and Choo, K.-K.R. 2017. A technique to circumvent SSL/TLS validations on iOS devices. Future Generation Computer Systems, 74, 366-374.
[11] El Madhoun, N., and Pujolle, G. 2016. A secure cloud-based NFC payment architecture for small traders. 3rd Smart Cloud Networks and Systems, SCNS 2016, 2 March.
[12] El Madhoun, N., Guenane, F., and Pujolle, G. 2016. An online security protocol for NFC payment: Formally analyzed by the scyther tool. Proceedings of the 2016 2nd Conference on Mobile and Secure Services, MOBISECSERV 2016, Gainesville, USA,23 March.
[13] Federal law dated July 27, 2006 No. 152-FZ ‘Concerning personal dataʼ. President of the Russian Federation V. Putin, Moscow.
[14] Federal law dated June 27, 2011 No. 161-FZ ʼConcerning the national payment system.ʼ GARANT system: http://base.garant.ru/12187279/#ixzz4oyKIoh00 (accessed 10.01.2018).
[15] Ghobadi, F., and Rohani, M. 2016. Cost sensitive modeling of credit card fraud using neural network strategy. Proceedings – 2016 2nd International Conference of Signal Processing and Intelligent Systems, ICSPIS 2016, 2 March.
[16] Global Cybersecurity Index (GCI). 2017. http://www.un.org/apps/news/story.asp?NewsID=57119#.WYW_FCt_ox8 (accessed 10.01.2018).
[17] Go, W., Ryu, S., and Kwak, J. 2012. Gyroscope-based Secure NFC payment system using signatures. Information, 15(5), 2219-2232.
[18] Hackers invented a new scheme of stealing money from ATMs. 2015. https://www.group-ib.ru/media/hackers-atm/ (accessed 10.01.2018).
[19] ICS cybersecurity: A view from the field. Kaspersky Lab official website. 2017. https://blog.kaspersky.ru/ics-report-2017/17812/ (accessed 10.01.2018).
[20] Instruction of the Bank of Russia dated 18.01.2016 No. 3936-U1. 2016. Moscow: The Central Bank of the Russian Federation.
[21] Jawale, A.S., and Park, J.S. 2016. A security analysis on apple pay. Proceedings - 2016 European Intelligence and Security Informatics Conference, EISIC 2016. Uppsala, Sweden, August 17-19.
[22] Keck, J. K. 2010. Benefits & Risks of Electronic Payment Systems. https://thatcreditunionblog.wordpress.com/2010/09/23/benefits-risks-of-electronic-payment-systems/ (accessed 10.01.2018).
[23] Liébana-Cabanillas, F., Muñoz-Leiva, F., and Sánchez-Fernández, J. 2017. A global approach to the analysis of user behavior in mobile payment systems in the new electronic environment. Service Business, 2017, 1-40.
[24] Ma, R.T.B., and Misra, V. 2017. Routing money, not packets: A tutorial on internet economics. SIGMETRICS 2017 Abstracts - Proceedings of the 2017 ACM SIGMETRICS. International Conference on Measurement and Modeling of Computer Systems, Urbana-Champaign, Illinois, USA — June 05 – 09.
[25] Ma, Y. 2017. NFC communications-based mutual authentication scheme for the internet of things. International Journal of Network Security, 19(4), 631-638.
[26] Majumder, A., Goswami, J., Ghosh, S., Shrivastawa, R., Mohanty, S.P., and Bhattacharyya, B.K. 2017. Pay-Cloak: A Biometric Back Cover for Smartphones: Facilitating secure contactless payments and identity virtualization at low cost to end users. IEEE Consumer Electronics Magazine, 6(2), 78-88.
[27] New level of cyber security and data protection. Key outcomes of the global survey of information security trends for 2017. 2017. http://www.pwc.ru/ru/publications/gsiss-2017/financial-services-industry.html (accessed 10.01.2018).
[28] Oney, E., Oksuzoglu, G.G., and Hussain, R.W. 2017. The determinants of electronic payment systems usage from consumers’ perspective. Economic Research-Ekonomska Istrazivanja, 1-22.
[29] Openshaw, J. 2000. Benefits of online bill paying. http://www.marketwatch.com/story/benefits-of-online-bill-paying (accessed 10.01.2018).
[30] Pasquet, M., and Gerbaix, S. 2017. Instant payment versus smartphone payment: The big fight. Proceedings of the 2017 3rd Conference on Mobile and Secure Services, MOBISECSERV 2017, 24 March.
[31] Piazza, M., Fernandes, J., Anderson, J., and Olmsted, A. 2017. Cloud payment processing without ritualistic sacrifices: Reducing PCI-DSS risk surface with thin clients. International Conference on Information Society, i-Society 2016. Dublin, Ireland, 10-13 October.
[32] Proceedings - 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, 10th IEEE International Conference on Big Data Science and Engineering and 14th IEEE International Symposium on Parallel and Distributed Processing with Applications, Tianjin, China, 23 August 23-26 2016, https://research.comnet.aalto.fi/Trustcom2015/file/TrustCom2016.pdf (accessed 10.01.2018).
[33] PwC Global. The Global State of Information Security® Survey 2017. 2017. https://www.pwc.com/gsiss2015 (accessed 10.01.2018).
[34] Qin, Z., Sun, J.A, Wahaballa, A., Zheng, W., and Xiong, H. 2017. A secure and privacy-preserving mobile wallet with outsourced verification in cloud computing. Computer Standards and Interfaces, 54, 55-60.
[35] Quamara, S., and Singh, A.K. 2016. Bitcoins and secure financial transaction processing, recent advances. Proceedings of the 2016 2nd International Conference on Applied and Theoretical Computing and Communication Technology, iCATccT 2016, Karnataka, India, 21-23 July.
[36] Rajeshwari, U., and Babu, B.S. 2016. Real-time credit card fraud detection using Streaming Analytics. Proceedings of the 2016 2nd International Conference on Applied and Theoretical Computing and Communication Technology, iCATccT 2016, Karnataka, India, 21-23 July.
[37] Regulation of the Bank of Russia dated 09.06.2012 No. 382P ʼConcerning the requirements to ensuring the information protection during money transfers and concerning the procedure for the Bank of Russia to monitor compliance with the requirements to ensuring the information protection during money transfersʼ (approved by the Bank of Russia on 09.06.2012 No. 382-P. The Bank of Russia's Bulletin No. 32 (1350). June 22, 2012. Moscow.
[38] Retail and consumer goods production: global data of information security trends research in 2017. http://www.pwc.ru/ru/publications/gsiss-2017/retail-and-consumer-products-.html (accessed 10.01.2018).
[39] Statistics of the national payment system. Official online portal of the Central Bank of the Russian Federation http://www.cbr.ru/statistics/?PrtId=psrf (accessed 10.01.2018).
[40] Sukhodolov A.P., Popkova, E.G., and Kuzlaeva, I.M. 2018. Methodological aspects of study of internet economy. Studies in Computational Intelligence, 714, 53-61.
[41] Transcript of the session Perspective payment system of the Bank of Russia. Official website of the National Payment Association http://www.paymentcouncil.ru/single-post/2016/11/27/Перспективная-платежная-система-Банка-России (accessed 10.01.2018).
[42] Uk Cyber Security. The Role Of Insurance In Managing And Mitigating The Risk. March 2015. United Kingdom: HM Government.
[43] World Economic Forum. Global Risks Report. 2017. http://reports.weforum.org/global-risks-2017/the-matrix-of-top-5-risks-from-2007-to-2017/ (accessed 10.01.2018).
[44] Yeh, K. 2017. A Secure Transaction Scheme With Certificateless Cryptographic Primitives for IoT-Based Mobile Payments. IEEE Systems Journal, doi: https://doi.org/10.1109/JSYST.2017.2668389.
[45] Zeichick, A. 2017. Enabling innovation by opening up the network. Network Security, 4, 12-14.
The Copyright Transfer Form to ASERS Publishing (The Publisher)
This form refers to the manuscript, which an author(s) was accepted for publication and was signed by all the authors.
The undersigned Author(s) of the above-mentioned Paper here transfer any and all copyright-rights in and to The Paper to The Publisher. The Author(s) warrants that The Paper is based on their original work and that the undersigned has the power and authority to make and execute this assignment. It is the author's responsibility to obtain written permission to quote material that has been previously published in any form. The Publisher recognizes the retained rights noted below and grants to the above authors and employers for whom the work performed royalty-free permission to reuse their materials below. Authors may reuse all or portions of the above Paper in other works, excepting the publication of the paper in the same form. Authors may reproduce or authorize others to reproduce the above Paper for the Author's personal use or for internal company use, provided that the source and The Publisher copyright notice are mentioned, that the copies are not used in any way that implies The Publisher endorsement of a product or service of an employer, and that the copies are not offered for sale as such. Authors are permitted to grant third party requests for reprinting, republishing or other types of reuse. The Authors may make limited distribution of all or portions of the above Paper prior to publication if they inform The Publisher of the nature and extent of such limited distribution prior there to. Authors retain all proprietary rights in any process, procedure, or article of manufacture described in The Paper. This agreement becomes null and void if and only if the above paper is not accepted and published by The Publisher, or is with drawn by the author(s) before acceptance by the Publisher.