In Brazil, where credit cards are one of the main payment methods and digital data has a value comparable to cash, the risks of online fraud are becoming increasingly prevalent, requiring heightened attention from consumers and businesses.
To give an idea of the scale of the problem, four out of ten Brazilians have already been victims of financial scams and fraud in the country, representing 42% of Brazilians. The data comes from the “2024 Digital Identity and Fraud Report,” a study conducted by Serasa Experian.
Another study, this time by the National Confederation of Store Managers (CNDL) and the Credit Protection Service (SPC Brasil), in partnership with Sebrae, shows that around 8.4 million consumers reported fraud at financial institutions in the last 12 months. Among the scams, credit and debit card cloning stands out as the main type of fraud.
Although approximately 70% of Brazilians have three or more credit cards, as Serasa points out, the perception of risk remains low. About 69% of Brazilians continue to underestimate the danger of registering financial data on websites and apps, leaving a large portion of the population exposed to digital scams and cyberattacks.
Amid growing concerns about digital security, good news emerges: new initiatives and technological advancements are making the online environment safer every day.
Recently, the PCI Security Standards Council (PCI SSC) proposed new guidelines for the continuous development and enhancement of security standards, applicable to companies that store, process, or transmit payment data, as well as to developers and manufacturers of software and devices used in transactions. PCI is a global organization that brings together key players in the payments industry to drive the adoption of secure transaction resources.
“As threats and technology evolve, PCI DSS standards also update. Therefore, it’s essential to stay alert to the new requirements and make the necessary adjustments,” warns Wagner Elias, CEO of Conviso, a developer of application security solutions.
Among the updates are those to the Payment Card Industry Data Security Standard (PCI DSS), created to protect the entire card payment value chain. Its compliance requirements range from storing cardholder data to securing access to sensitive payment information.
“In short, it’s necessary to reinforce customer data protection by implementing additional measures to prevent unauthorized access,” says the expert.
Thus, companies will need to adapt and invest in new technologies. To give an idea, some of these solutions can provide a complete view of risks related to each application. “These tools integrate different systems, centralizing information and assisting in prioritizing actions, all continuously,” explains the CEO of Conviso, referring to its Conviso Platform Application Security Posture Management (ASPM), launched in 2010.
However, the expert highlights that many companies still adopt a reactive stance regarding their systems’ security, only prioritizing the issue after suffering an attack. This behavior, he says, is concerning, as security flaws can lead to significant financial losses and irreparable damage to an organization’s reputation, which could be avoided with preventive measures.
For him, when considering the creation of new software, it’s essential for companies to incorporate security at every stage of the development cycle, from requirements gathering (the first phase analyzing what the app will do) to deployment (production and final delivery).
“To avoid these risks, the key differentiator is adopting Application Security practices from the beginning of new app development. This ensures protective measures are embedded in all phases of the software lifecycle. Besides being significantly more economical than remedying damages after an incident, investing in preventive security is much more effective. It allows preventing attacks, protecting sensitive data, ensuring compliance with laws and guidelines, and guaranteeing the application is secure and reliable for users from the start,” says the expert.
Wagner explains that the company develops solutions integrating security into DevOps, enabling each line of code to be developed with protective practices, along with services like penetration testing and vulnerability mitigation. “Performing continuous security analyses and test automation allows companies to meet regulations without compromising efficiency,” Wagner emphasizes.
Beyond implementing robust technologies, Conviso’s CEO underscores the importance of specialized consulting, helping companies adapt to PCI DSS 4.0 requirements and other regulations. Offensive services like Penetration Testing, Red Team, and third-party security assessments promote a proactive and comprehensive security approach, identifying and fixing vulnerabilities before they can be exploited.
Investments are expected to accelerate
This transformation in digital security not only reinforces consumer trust in a secure online environment but also aligns with the rapid growth of the application security market, projected to expand from $11.62 billion in 2024 to $25.92 billion by 2029, according to Mordor Intelligence. “Implementing cutting-edge technology marks a turning point in digital protection and strengthens trust in a market that depends, more than ever, on security to thrive,” concludes Wagner.
Check out the list of the 12 PCI DSS requirements that compliance verification 4.0 must meet:
- Install and maintain a firewall
- Eliminate vendor default configurations
- Protect stored cardholder data
- Encrypt payment data transmission
- Regularly update antivirus software
- Deploy secure systems and applications
- Restrict access to cardholder data as needed
- Assign user access identification
- Restrict physical access to data
- Track and monitor network access
- Continuously test processes and systems for vulnerabilities
- Create and maintain an infosec policy
The implementation of PCI DSS 4.0 guidelines is being carried out in two phases:
- The first phase, with 13 new requirements, had a deadline of March 31, 2024.
- The second phase, with 51 additional requirements, must be implemented by March 31, 2025.
