WEBVTT 1 00:00:00.210 --> 00:00:02.790 Anna Delaney: Software point of sale or SoftPOS is a 2 00:00:02.790 --> 00:00:06.360 groundbreaking technology which allows businesses to accept card 3 00:00:06.360 --> 00:00:10.470 payments directly on their phone or devices without requiring any 4 00:00:10.470 --> 00:00:13.470 additional software. But as this new payment method gains 5 00:00:13.500 --> 00:00:16.350 wide-spread international adoption, what does this mean 6 00:00:16.350 --> 00:00:19.950 for the security of our payment systems? Hello, I'm Anna Delaney 7 00:00:19.950 --> 00:00:23.220 and welcome to Sound Off, the show where we explore one topic 8 00:00:23.280 --> 00:00:27.360 in under 10 minutes. And with me to discuss how SoftPOS is 9 00:00:27.360 --> 00:00:31.500 changing the payments landscape is Troy Leach, previously CTO of 10 00:00:31.500 --> 00:00:34.710 the PCI Security Standards Council and now security 11 00:00:34.710 --> 00:00:38.550 executive in residence at Cloud Security Alliance. It's a 12 00:00:38.550 --> 00:00:41.010 pleasure to have you join us, Troy, thank you so much. 13 00:00:41.460 --> 00:00:43.140 Troy Leach: Thank you, Anna. Appreciate the opportunity to 14 00:00:43.140 --> 00:00:46.770 come and talk about really innovative thing that's 15 00:00:46.770 --> 00:00:47.910 happening in payments right now. 16 00:00:48.540 --> 00:00:51.450 Anna Delaney: Absolutely. Well, let's start off by talking about 17 00:00:51.450 --> 00:00:55.110 SoftPOS, and the general trend of migration to everything in 18 00:00:55.110 --> 00:00:58.350 banking, moving from hardware terminals to software. 19 00:00:59.250 --> 00:01:01.950 Troy Leach: Well, I think the pandemic helped to really 20 00:01:01.950 --> 00:01:05.580 accelerate some of this interest, especially when we 21 00:01:05.580 --> 00:01:10.080 look at, so probably should first define, what is SoftPOS. 22 00:01:10.380 --> 00:01:13.590 So, it's really software-only point of sale. So these are 23 00:01:14.040 --> 00:01:18.960 devices that by themselves are not required to have some type 24 00:01:18.960 --> 00:01:23.580 of light dongle to attach to a phone, like you see with the 25 00:01:23.610 --> 00:01:27.690 more traditional square type payments, these are just using 26 00:01:27.690 --> 00:01:33.120 an app within a phone, using NFC and then being able to have 27 00:01:33.120 --> 00:01:37.500 commerce. And we're seeing more and more interest in contactless 28 00:01:37.500 --> 00:01:43.200 payments and the use of NFC. And up to recently, it really was 29 00:01:43.200 --> 00:01:48.600 just for that 60% of the market. That was Android devices that 30 00:01:48.900 --> 00:01:52.740 we're driving some of these opportunities. But it's really, 31 00:01:52.740 --> 00:01:56.490 I feel, we're in this renaissance of payments. We see 32 00:01:56.490 --> 00:01:58.410 you mentioned I have been formerly with PCI Security 33 00:01:58.410 --> 00:02:02.610 Standards Council. They've been working at years on several 34 00:02:02.610 --> 00:02:06.630 mobile standards. In fact, they are about to meet this month and 35 00:02:06.630 --> 00:02:09.360 talk more about an upcoming standard called the mobile 36 00:02:09.390 --> 00:02:13.290 payment on COTS as acronym with an acronym. So the COTS is 37 00:02:13.590 --> 00:02:16.170 commercially off-the-shelf devices. These are just the 38 00:02:16.170 --> 00:02:20.640 Android, iPhones, whatever device you want to go by, and 39 00:02:20.640 --> 00:02:26.400 then turn it into a mobile payment source. So it's really 40 00:02:26.670 --> 00:02:31.230 changing how small merchants who maybe, before they couldn't have 41 00:02:31.230 --> 00:02:36.180 a hardware-dedicated terminal, the cost may have been too 42 00:02:36.180 --> 00:02:39.630 prohibitive in their minds, at least. And so we're starting to 43 00:02:39.630 --> 00:02:45.450 see organizations that - I saw a report from Keiser that said, 44 00:02:45.780 --> 00:02:51.210 there's about 120-130 million merchants around the world that 45 00:02:51.300 --> 00:02:55.530 do not use any form of payment card acceptance today, simply 46 00:02:55.530 --> 00:02:58.530 because for these reasons. And so I think there's really an 47 00:02:58.530 --> 00:03:02.430 opportunity going forward for us to see small merchants be 48 00:03:02.430 --> 00:03:06.540 empowered and start to have parity. Regardless, if you're in 49 00:03:06.570 --> 00:03:11.610 Africa, South America, China or the U.S., you are starting to 50 00:03:11.610 --> 00:03:16.170 have a more fair playing ground to be able to accept any form of 51 00:03:16.170 --> 00:03:16.500 payment. 52 00:03:17.910 --> 00:03:21.750 Anna Delaney: You've defined SoftPOS. How is it redefining 53 00:03:21.750 --> 00:03:23.490 the payment acceptance space? 54 00:03:24.170 --> 00:03:28.340 Troy Leach: So, I think it's looking at security and payments 55 00:03:28.340 --> 00:03:31.700 differently. So starting with payments, I mentioned the 56 00:03:31.730 --> 00:03:35.930 opportunities that exist. So, there's no longer a hardware 57 00:03:35.930 --> 00:03:40.760 dependency, per se, there is the preference to have a TEE 58 00:03:41.180 --> 00:03:44.840 (trusted execution environment). These are little enclaves and 59 00:03:44.840 --> 00:03:49.040 protected areas within mobile devices. Many mobile phones do 60 00:03:49.040 --> 00:03:53.240 have these, also looking to the cloud. And so we're seeing all 61 00:03:53.240 --> 00:03:56.870 these applications that as a service that are being run, and 62 00:03:56.870 --> 00:04:00.140 starting to use something called confidential computing, and 63 00:04:00.230 --> 00:04:04.640 providing a way that you can protect information that 64 00:04:04.700 --> 00:04:09.920 previously, we hear all these stories about payment data being 65 00:04:09.920 --> 00:04:13.400 stolen and memory, and many memory scraping and these type 66 00:04:13.400 --> 00:04:18.590 of activities. And now, we have a way to maybe have full 67 00:04:18.590 --> 00:04:21.920 encryption all the time to the more sensitive parts of data. 68 00:04:22.580 --> 00:04:27.560 And so, I think that's enabled SoftPOS and other types of 69 00:04:27.590 --> 00:04:32.270 payments to really flourish in the last two to three years. 70 00:04:32.510 --> 00:04:36.410 It's funny, we would think about this, the mobile devices 71 00:04:36.410 --> 00:04:39.680 themselves, iPhones have only been around for 15 years. The 72 00:04:39.680 --> 00:04:43.940 strike, you know, maybe a decade or so. And so, we're really 73 00:04:43.940 --> 00:04:48.290 moving quickly and accelerating how we form and accept payments 74 00:04:48.470 --> 00:04:53.270 through wearables now. Just went to Disney World and essentially 75 00:04:53.300 --> 00:04:57.560 didn't need to take my wallet or my phone. I could use everything 76 00:04:57.740 --> 00:05:02.600 related to a little wristband and even my daughter could pay 77 00:05:02.600 --> 00:05:06.740 for anything that she wanted. So I think we're in a fascinating 78 00:05:06.740 --> 00:05:11.720 time. Now, with that comes the ability in need to secure things 79 00:05:11.720 --> 00:05:14.870 differently. And I think where the industry really struggled 80 00:05:15.050 --> 00:05:21.200 was, there was a need to change to, rather more at the station 81 00:05:21.200 --> 00:05:27.290 monitoring, more analytics to the types of of activity we're 82 00:05:27.290 --> 00:05:31.790 seeing in different types of payment environments. And some 83 00:05:31.790 --> 00:05:35.000 of the early adopters were saying, "Well, we have the 84 00:05:35.000 --> 00:05:38.480 secret sauce, that's really great secret sauce, but it's 85 00:05:38.480 --> 00:05:43.160 proprietary, so I can't share it with you." And for us in the 86 00:05:43.160 --> 00:05:46.400 security field, we say, well, "It's one thing to say you're 87 00:05:46.400 --> 00:05:50.660 protecting consumers' data, it's another thing to show and prove 88 00:05:50.660 --> 00:05:54.110 and attest that you're doing that." And so we're starting to 89 00:05:54.110 --> 00:06:00.080 build an understanding of the need for demonstration of the 90 00:06:00.080 --> 00:06:03.950 good protections that are in place. And I think we're getting 91 00:06:03.950 --> 00:06:07.010 there. And today, I think the SoftPOS markets, about six 92 00:06:07.010 --> 00:06:11.330 million devices, there are many different analysts that are 93 00:06:11.330 --> 00:06:14.090 bullish to say within the next four to five years, that's going 94 00:06:14.090 --> 00:06:17.390 to be 35 million or more devices that are going to be 95 00:06:18.320 --> 00:06:22.130 SoftPOS-enabled. So, I'm really excited to see what this is 96 00:06:22.160 --> 00:06:25.520 actually going to entail for the U.S. market, but then just the 97 00:06:25.520 --> 00:06:26.510 global market as well. 98 00:06:27.990 --> 00:06:30.129 Anna Delaney: But, of course, there's the flip side, as you 99 00:06:30.177 --> 00:06:32.887 mentioned, you alluded to security concerns. I do want to 100 00:06:32.935 --> 00:06:35.598 know more about your concerns, as we become increasingly 101 00:06:35.646 --> 00:06:36.930 dependent on these systems. 102 00:06:37.679 --> 00:06:41.394 Troy Leach: Yeah, I think, you know, part of it gets down to 103 00:06:41.472 --> 00:06:46.271 the philosophy. So, what's been around for about 10 years, but 104 00:06:46.349 --> 00:06:50.916 really gaining traction right now is the philosophy of zero 105 00:06:50.994 --> 00:06:55.096 trust. And so, having this approach, where we need to 106 00:06:55.174 --> 00:06:59.664 isolate down to what we're trying to protect, having smart 107 00:06:59.741 --> 00:07:04.309 identification of that edge and the protection surface that 108 00:07:04.386 --> 00:07:09.263 we're trying to actually guard and then having the right access 109 00:07:09.341 --> 00:07:13.830 controls. And I think, going forward, we're going to see a 110 00:07:13.908 --> 00:07:18.088 need for higher levels of multi-factor authentication, 111 00:07:18.166 --> 00:07:22.501 we're going to see a need for really, in general, better 112 00:07:22.578 --> 00:07:27.146 monitoring and understanding, and being able to demonstrate 113 00:07:27.223 --> 00:07:31.558 that. One of the things I like that the non-profit cloud 114 00:07:31.636 --> 00:07:35.971 security lines did is they created a framework that maps 115 00:07:36.048 --> 00:07:40.228 to, I think, 39-40 different frameworks that exist for 116 00:07:40.306 --> 00:07:45.028 different financial security protections. So PCI, some of the 117 00:07:45.105 --> 00:07:49.828 Sarbanes Oxley, GDPR, all of these can actually map back to a 118 00:07:49.905 --> 00:07:54.782 basic framework. And from there, then you can start to test and 119 00:07:54.859 --> 00:07:59.504 demonstrate that what you're doing is actually going to meet 120 00:07:59.582 --> 00:08:04.459 and to hear to not just one or two or three, but possibly 18-20 121 00:08:04.536 --> 00:08:08.871 different types of local legislation, because that's the 122 00:08:08.949 --> 00:08:13.593 other thing that's happening right now is we start to see in 123 00:08:13.671 --> 00:08:17.774 the last several years, a splintering of what is good 124 00:08:17.851 --> 00:08:22.496 enough payments security, so many of these states in here in 125 00:08:22.573 --> 00:08:27.373 the U.S., I think 38 states have incorporated some form of new 126 00:08:27.450 --> 00:08:32.250 cybersecurity laws in the last two years, we start to see data 127 00:08:32.327 --> 00:08:37.050 localization, where countries like India has submitted bills. 128 00:08:37.127 --> 00:08:41.153 They just recently in July withdrew a bill about how 129 00:08:41.230 --> 00:08:45.952 sovereign the data needs to be in India, we see China, Russia 130 00:08:46.030 --> 00:08:50.442 and other countries, even Europe starting to explore data 131 00:08:50.520 --> 00:08:55.242 localization. So all of these are going to play a part in how 132 00:08:55.319 --> 00:09:00.196 successful and innovative we can be if you have to be just very 133 00:09:00.274 --> 00:09:03.990 acute of where that data is going to transition. 134 00:09:05.310 --> 00:09:07.682 Anna Delaney: So, I know you've been working with SoftPOS, just 135 00:09:07.730 --> 00:09:10.200 talk to us about what your work is involved so far. 136 00:09:11.340 --> 00:09:14.840 Troy Leach: Well, lot of the work is been in my prior role at 137 00:09:14.911 --> 00:09:19.197 PCI and the work that they're currently doing, and I hope to 138 00:09:19.268 --> 00:09:23.625 see a standard out in the near future that's going to provide 139 00:09:23.697 --> 00:09:27.625 guidance on how do we go about taking and creating full 140 00:09:27.697 --> 00:09:31.840 security because it's not just the security of what people 141 00:09:31.911 --> 00:09:35.911 think of, that 15-16-digit credit card number. But we're 142 00:09:35.982 --> 00:09:39.911 also talking all of the authentication data as well. So 143 00:09:39.982 --> 00:09:44.411 the PIN number, which has always been something that had to be 144 00:09:44.482 --> 00:09:48.697 through a hardware security module, and you'll find it, and 145 00:09:48.768 --> 00:09:52.840 hardware-based encryption. Now we're starting to look and 146 00:09:52.911 --> 00:09:57.197 realize it's 30-plus years old, and maybe there's other ways 147 00:09:57.268 --> 00:10:00.982 that we can authenticate even better than what a PIN 148 00:10:01.054 --> 00:10:05.482 previously provide, consumers and banks alike. So, that's part 149 00:10:05.554 --> 00:10:09.840 of the work is guiding some of those that are exploring that 150 00:10:09.911 --> 00:10:14.340 area, but also we talked about as a service. And through Cloud 151 00:10:14.411 --> 00:10:18.340 Security Alliance, we are working with a whole bunch of 152 00:10:18.411 --> 00:10:22.768 financial institutions doing pilots around all of these small 153 00:10:22.840 --> 00:10:27.054 FinTech companies. So there are thousands upon thousands of 154 00:10:27.125 --> 00:10:31.125 small software-as-a service providers that are providing 155 00:10:31.197 --> 00:10:35.482 some form of payment solution to these banks. But they're so 156 00:10:35.554 --> 00:10:39.911 small that they don't have the large compliance budgets to be 157 00:10:39.982 --> 00:10:44.411 able to do a demonstration of an ISO 27000. So what can we do? 158 00:10:44.482 --> 00:10:48.482 What level of security and assurance can we provide? Are 159 00:10:48.554 --> 00:10:52.340 these small companies just starting to enter into the 160 00:10:52.411 --> 00:10:56.554 financial market, a way that they can demonstrate to large 161 00:10:56.625 --> 00:11:00.911 banks that they are doing the right, proper due diligence in 162 00:11:00.982 --> 00:11:05.340 the work that they're going to be supporting for those banks. 163 00:11:06.450 --> 00:11:08.789 Anna Delaney: Troy, I have so many more questions, but we are 164 00:11:08.839 --> 00:11:11.676 to time. We only have 10 minutes. So, Troy, this has been 165 00:11:11.726 --> 00:11:14.813 so useful. Thank you very much for your insight and joining us 166 00:11:14.862 --> 00:11:15.510 on Sound Off. 167 00:11:15.929 --> 00:11:17.159 Troy Leach: Thank you, Anna. Appreciate it. 168 00:11:17.880 --> 00:11:20.410 Anna Delaney: I've been speaking with Troy Leach and for ISMG, 169 00:11:20.463 --> 00:11:21.360 I'm Anna Delaney.