With the new PCI DSS 4.0 becoming the new security standard on March 31, 2024, we invited our Senior Security Manager, Hardy M., to discuss how Opn Payments is keeping your data safe with the highest level of security and how we’ve been prepared for the new standard since 2023.

Hardy M., originally from Sweden, has had an interest in programming from a young age and brings diverse experience to his current role. He transitioned from working as an IT contractor to advancing into a more security-focused role, acquiring various security certifications, including CISSP. Hardy joined Opn in 2018 because he was interested in the explosive growth of Asia's payment landscape, which, in his opinion, surpassed that in Europe in some aspects.

Below are some of the questions we discussed about Opn Payments’ security measures, the new security standard, and some advice on how to safeguard your organization’s data.

Opn Payments’ security measures:

Interviewer: What are the security measures Opn Payments have to protect our customers’ data?

Hardy: The security program at Opn has many different layers and controls, and I think the way to gain our customers' trust is to be as transparent as possible and show more than tell.

I always react when I see “Security is our top priority.” I understand why it is said, and it might even be true, but trust is only something that can be earned, not something you can just say and then it will automatically be true.

We have a security page that tries to explain many of the different things we do in more detail and the controls we implement. For those interested, they can read more here: https://docs.opn.ooo/security-overview.

We also always want to be approachable, so if customers have questions they can reach out to us and we can work together to make sure we earn their trust.

The new PCI DSS 4.0:

Interviewer: Can you provide an overview of PCI DSS 4.0 and its significance in the realm of data security?

Hardy: It is governed by the PCI Security Standards Council which consists of stakeholders such as card brands in the payment industry. They release the PCI DSS standard for organizations to make sure people, processes, and technologies across the payment ecosystem help secure payments worldwide. Depending on how much exposure you have to risk, such as if you handle card data by yourself and how many transactions go through your systems, you will have different requirements that you will need to show you follow.

It is mandatory, and in my personal opinion, it is a superb standard to follow. While not perfect, it is one of the best overall organizational and technical security standards, even for companies that are not part of the payment ecosystem. I would recommend it to every company, at least to have a look at.

Interviewer: What key changes or updates does PCI DSS 4.0 introduce, and how do these impact the security landscape for organizations like Opn Payments?

Hardy: There are quite a few changes, but one that I can highlight is one that comes from the fact that in the last couple of years, the industry has seen a huge increase in card skimming attacks on merchants' websites. These skimming attacks work by taking over a merchant's website in some way. It can be phishing, a weak password, or a server that has not been patched for a long time. After the server has been compromised, the bad actor will install a small script on the payment page that will copy the customer's full card details and send it to the bad actor.

PCI DSS 4.0 added quite a number of requirements regarding how to better secure payment pages.

Interviewer: Since PCI DSS 4.0 will become the new security standard on March 31, 2024, can you tell us how we should prepare for it?

Hardy: We have successfully audited using the PCI DSS 4.0 standard since 2023. We did not have to change our processes too much. Year by year, we always improve some minor things we feel can be better, and there are a couple of more improvements we are already thinking about doing for 2025.

Security advice for our customers:

Interviewer: Lastly, what are five practical measures Opn Payments' customers can adopt to safeguard their data security?

Hardy: Security can be a difficult topic and it is about risk, so not always a yes or no answer. Every company is different and has different threats they need to protect themselves from but here are a couple of things that are relatively easy to do.

1. Patch your software and software dependencies. At Opn we automatically patch as often as daily but if that cannot be done, at least set up a calendar schedule every month to make sure to patch and subscribe to your products' security news for critical notifications.

2. Enable 2FA. Protect against re-using passwords, leakage of passwords by former employees, etc.

3. Don’t store or process cardholder data such as the full PAN number under any circumstances. Use a trusted payment provider.

4. Practice account hygiene. Don’t share accounts and make sure you have few administrators and make sure they are offboarded when leaving the company.

5. Be aware of the phishing risks associated with email, phone, SMS, social media, etc. This is an easy way attackers trick us as we humans by nature can be manipulated.

Conclusion:

Opn Payments is dedicated to ensuring the highest level of security for your data. As you have heard from our security manager, our security approach is grounded in transparency and action, recognizing that trust is earned through tangible efforts. The successful audits using PCI DSS 4.0 since 2023 exemplify our dedication to staying ahead of evolving security requirements and emerging threats.