How well do payment service providers (PSPs) understand the security risks they face?
PSPs can’t be across all risks. The threat of being blindsided by a cyber-attack, for example, hangs over them. But, when it comes to device security, many take confidence from compliance. If the payment devices that are the lifeblood of their business – from standard countertop terminals to ticket kiosks to mobile card readers – are PCI PTS compliant, that’s treated as a proxy for security. So too are Software Bills of Materials (SBOMs), which should be provided by device manufacturers to give device buyers like PSPs transparency into the complex, multi-layered software stacks that make up a device.
Go deeper with GlobalData
Access deeper industry intelligence
Experience unmatched clarity with a single platform that combines unique data, AI, and human expertise.
But the hard truth is that a narrow focus on SBOMs and PCI PTS compliance means PSPs are operating with false confidence on device security. PCI PTS-driven testing is a one-time activity at a device’s launch (followed by very occasional re-testing), which does little to limit real-world exposure to ever-evolving security threats. In the case of SBOMs, if up-to-date, most only cover tier one components and overlook the open-source elements of products. PSPs may think their devices are secure, but the reality is that compliance is paper-thin.
PSPs are therefore left shouldering the risk of costly incident responses and reputational damage from cyber-attacks via device vulnerabilities, without the autonomy to take steps to limit those risks. Regulators are catching up. It’s becoming increasingly untenable for PSPs to stick with the device security status quo.
The current state of play
For PSPs operating a fleet of payment devices, managing the security of complex, embedded systems is a challenge. Modern methods to compromise hardware devices or firmware are highly complex and unfold across multiple stages (referred to by cyber security teams as multi-step kill chains). Further complicating matters is the increasingly automated ways that threat actors discover and exploit vulnerabilities in devices.
That is why PSPs need the ability to assess payment devices as complex, interconnected systems rather than relying solely on their certified status. Understanding how individual vulnerabilities can contribute to a broader attack chain requires a level of transparency that the current compliance-focused approach does not provide.
SBOMs should be part of vendor documentation that’s frequently incomplete, outdated, or misleading. As a comprehensive view over the supply chains that payment devices are built on – encompassing OEMs, tier 1 and 2 suppliers and third-party open-source components – SBOMs too often miss the mark.
Even if SBOMS are comprehensive and PCI PTS compliance is in place, this only amounts to point-in-time validation, true as of when a device was launched (or tested last). This means PSPs have insight into device security at a singular point in a product lifecycle, rather than throughout. They’re left vulnerable and deferring the creation and sharing of insight that’s crucial for managing device security to manufacturers who are not under strong obligations to disclose security issues.
Regulatory changes are adding further complications
While the Payment Card Industry Security Standards Council (PCI SSC) has 20 years of experience building strong guidance to improve payment security, upcoming EU cybersecurity requirements are poised to trigger a shift in liability and responsibility of all digital product owners and operators.
The EU Cyber Resilience Act (CRA) introduces new requirements around product liability, and PSPs fall in scope. From September 11th, device manufacturers selling in the EU are required to report actively exploited vulnerabilities and security incidents within 24 hours. But obligations run through the supply chain. If an OEM ships a vulnerable component that goes on to be integrated by a PSP, the PSP could find themselves liable under CRA if they can’t demonstrate effective due diligence in their supply chain assessment in the event of a security incident or vulnerability exploit.
The CRA reflects a broader shift in cybersecurity expectations, where actors across supply chains hold a joint responsibility to maintain security throughout a product’s lifecycle – responding to the inadequacies of simply demonstrating compliance at a static point in time.
PSPs without established processes to continuously monitor device security aren’t in a clear-cut position to be compliant ahead of September 11th. At that point, they run the risk of cyber-attacks, but also the risk of falling foul of regulators. Understanding the security posture of devices, with visibility across a product’s lifecycle, has never been more of a business imperative.
The change PSPs need
There’s a strong business case for PSPs to abandon the current cybersecurity status quo of being blind to device composition and risk. PSPs can position themselves to reckon with emerging cyber security risks, via risk-based decisions using real data, by investing in an approach of continuous threat monitoring and vulnerability intelligence that empowers them to continuously understand and validate risks. Here’s how they can start to tip the scales and gain visibility:
Device-centric continuous monitoring
The goal for PSPs should not be just to achieve compliance once; they should strive for day-to-day monitoring of live risk exposure. This is where continuous device monitoring steps in. An effective device–focused threat intelligence platform supported by threat intelligence analysts detects emerging threats from a wide range of sources (including signals from threat actor forums on the dark web) and aggregates signals to tell PSPs what they need to know.
Vulnerability intelligence
We need to be precise on that last point. For continuous monitoring to be effective in the PSP context, it has to map vulnerabilities to the actual device composition (xBOM) of the devices a PSP manages. That’s how PSPs shift from general continuous monitoring to tailored vulnerability intelligence. The majority of PSPs aren’t thinking about attack surface management in this way today, but they need to be if they really want to take control of security in the device lifecycle and limit their reliance on manufacturer-provided assurances.
Validation
Validation is the critical final step. As already discussed, irregular testing that is considered sufficient under the current compliance framework does not necessarily provide an adequate level of security. Expert-led penetration testing designed to find weaknesses in components and identify device flaws probes devices for vulnerabilities using real-life attack paths that manufacturers don’t test when launching a device. PSPs gain the power to independently verify manufacturer claims, SBOM accuracy and patch effectiveness.
The new standard
The current device security status quo isn’t working for PSPs. Flying blind to risk isn’t a strategy as cyber threats emerge daily and regulatory scrutiny increases. Continuous security validation and accountability across the product supply chain is where PSPs need to move and shouldn’t be overcomplicated. Continuous monitoring, vulnerability intelligence and validation come together to establish true visibility across a product’s lifecycle – protecting customers, partners and PSPs themselves.
Artem Serebrov, Director of Product, PCA Cyber Security
