In Brazil, where credit card is one of the main forms of payment and digital data is as valuable as cash, the risks of online fraud are becoming increasingly prevalent, requiring extra attention from consumers and companies.
Just to give an idea of the extent of the problem, four out of ten Brazilians have already fallen victim to scams and financial fraud in the country, representing 42% of Brazilians. The data comes from the ‘Digital Identity and Fraud Report 2024,’ a survey conducted by Serasa Experian.
Another study, this time from the National Confederation of Shopkeepers (CNDL) and the Credit Protection Service (SPC Brazil), in partnership with Sebrae, shows that about 8.4 million consumers reported frauds in financial institutions in the last 12 months. Among the scams, credit and debit card cloning ranks as the main type of fraud.
Although approximately 70% of Brazilians have three or more cards, as pointed out by Serasa, the risk perception is still low. Around 69% of Brazilians continue to underestimate the danger of registering financial data on websites and apps, leaving a huge portion of the population exposed to digital scams and cyber attacks.
Amid the growing concern about digital security, good news emerges: new initiatives and technological advances are making the online environment safer every day.
Recently, the PCI Security Standards Council (PCI SSC) has proposed new guidelines for the continuous development and enhancement of security standards, applicable to companies that store, process, or transmit payment data, as well as software developers and manufacturers of devices used in transactions. PCI is a global organization that brings together key players in the payment industry to drive the use of resources for secure transactions.
“As threats and technology evolve, so do PCI DSS standards. Therefore, it is necessary to pay attention to the new requirements and make the necessary adjustments,” warns Wagner Elias, CEO of Conviso, a developer of application security solutions.
Among the updates are those of the Payment Card Industry Data Security Standard (PCI DSS), created to protect the entire card payment value chain. Its compliance requirements range from storing cardholder data to securing access to sensitive payment information.
“In summary, it is necessary to reinforce customer data protection by implementing additional measures to prevent unauthorized access,” says the expert.
Therefore, companies will need to adapt and invest in new technologies. For example, some of these solutions are capable of providing a comprehensive view of risks related to each application. “These tools integrate different systems, centralizing information and assisting in prioritizing actions, all continuously,” explains Conviso’s CEO about their Conviso Platform Application Security Posture Management (ASPM) platform, launched in 2010.
However, the specialist highlights that many companies still adopt a reactive approach to the security of their systems, only prioritizing the issue after suffering an attack. This behavior, according to him, is concerning because security flaws can lead to significant financial losses and irreparable damage to the organization’s reputation, which could be avoided with preventive measures.
For him, when considering the development of a new software, it is essential that the company incorporate security at every stage of the creation cycle, ranging from requirements gathering (first phase that analyzes what the app will do) to deployment (production and final delivery).
“To avoid these risks, the key differential is to adopt Application Security practices from the beginning of the new application development. This ensures the implementation of protection measures in all phases of the software lifecycle. Besides being significantly more cost-effective than remedying damages after an incident, investing in preventive security is much more effective. This allows for preventing attacks, protecting sensitive data, ensuring compliance with regulations and guidelines, and guaranteeing that the application is secure and reliable for users from the start,” says the specialist.
Wagner explains that the company develops solutions that integrate security into DevOps, allowing every line of code to be developed with protective practices, as well as services like penetration testing and vulnerability mitigation. “Performing continuous security analyses and test automation allows companies to comply with standards without compromising efficiency,” highlights Wagner.
In addition to implementing robust technologies, Conviso’s CEO emphasizes the importance of specialized consultancies, which help companies adapt to the requirements of PCI DSS 4.0 and other regulations. Offensive services like Penetration Testing, Red Team, and third-party security assessments promote a proactive and comprehensive security approach, identifying and fixing vulnerabilities before they can be exploited.
Investments Should Accelerate
This transformation in digital security not only reinforces consumers’ trust in a secure online environment but also aligns with the fast-growing application security market, expected to expand from $11.62 billion in 2024 to $25.92 billion by 2029, according to Mordor Intelligence. Implementing cutting-edge technology marks a turning point in digital protection and strengthens confidence in a market that relies more than ever on security to thrive,” concludes Wagner.
Check out the list of the 12 PCI DSS requirements that compliance verification 4.0 must meet:
- Install and maintain a firewall
- Remove vendor default configurations
- Protect stored cardholder data
- Encrypt payment data transmission
- Regularly update antivirus software
- Deploy secure systems and applications
- Restrict access to cardholder data as needed
- Assign user access identification
- Restrict physical access to data
- Track and monitor network access
- Testing processes and systems continuously for vulnerabilities
- Creating and maintaining an infosec policy
The implementation of PCI DSS 4.0 guidelines is being done in two phases:
- The first phase, with 13 new requirements, had a final deadline of March 31, 2024.
- The second phase, with 51 additional requirements, must be implemented by March 31, 2025.
