As Digital Payments Explode in Popularity, Cybercriminals are Taking Notice

By Norman Comstock, Managing Director, and Luke Nelson, Managing Director, Cybersecurity Solutions, UHY Consulting

With $54 trillion in payments flowing through the world’s leading transaction avenues, the payments space is truly exploding. Moreover, seemingly all stakeholders are buying into the space big time. For example, traditional banks are moving full speed ahead in fulfilling consumer expectations for instant and easy digital payments by rolling out new offerings. Policymakers are jumping onboard, since moving money faster means economies can expand. And merchants, neobanks, and fintechs are following the money and debuting a slew of new products as well. That said, cybercriminals are also looking to get in on the act in a big way.

In 2022, more than 60% of global financial institutions with over $5 billion in assets were hit by cyberattacks as cybercriminals look to compromise the rapidly growing – and lucrative – financial industry. And because of the rate that the payments sector in particular is evolving, CISOs and their cybersecurity teams in this space are finding it increasingly difficult to stay one step ahead of bad actors.

With that in mind, here are a few of the key factors that are making the payments sector one of the most interesting areas to watch in terms of cybersecurity.

An evolving digital payments marketplace

For years, apps like Venmo and other digital channels have become a more and more popular avenue for purchases and payments among consumers. However, like with so many industries, the COVID-19 pandemic completely changed the payments landscape, with consumers now demanding – rather than preferring – that banks and non-bank fintechs make it easy, cheap, and fast to execute online transactions, especially payments. Thus, mobile banking and digital wallets are now virtually ubiquitous. So much so, that even the government is getting in on the payments game through the US Federal Reserve’s FedNow. Additionally, digital payments and cryptocurrency are also becoming more intertwined – see payments leader PayPal’s recent move to make digital assets available for their users through their digital wallet. This surge in payments tech adoption, and the growing diversity in the types of payments offerings has made the space ripe for innovation but also for cybersecurity threats.

Regulatory complexity in digital payments

Due to the surge in ransomware attacks and other high-profile breaches impacting the financial services industry, policymakers, industry groups and regulators have all stepped up oversight efforts as well. In March, for example, the White House released it comprehensive National Cybersecurity Strategy, which included placing more responsibility on those within the digital ecosystem, the tech providers and payments providers, “to reduce risk and shift the consequences of poor cybersecurity away from the most vulnerable.” In addition, an onerous patchwork of data privacy laws has been unfurled in the past few years in several states, and in July the Securities and Exchange Commission (SEC) finalized its new cybersecurity risk management and governance rules, requiring public companies to report incidents and describe their processes for assessing, identifying, and managing material risks from cybersecurity threats. Meanwhile, the payments card industry is working overtime to meet the standards of PCI Data Security Standard (DSS) v4.0 which goes into effect March 2025. This confluence of overlapping oversight is making it increasingly challenging not just for payments stakeholders to remain compliant but to formulate effective cybersecurity strategies moving forward.

Cybercriminals have more surfaces to attack

Cybercriminals have become adept at seizing on gaps in the cybersecurity posture of companies caused by a rapidly expanding attack surface created by the adoption of new technologies like blockchain, generative AI, and cloud computing. Ransomware, once a minimal threat in cloud environments, is growing rapidly in line with increasing cloud adoption. Sophisticated AI tools are making cybercriminals better at their jobs through automation. At the same time, the explosion of fintech companies partnering with other fintechs and banks has opened the door wider to cyber threats. For example, in 2021, 62% of system intrusion incidents in the payments delivery chain stemmed from vendors, partners, and third-parties – clearly demonstrating that while a more interconnected payments landscape may have certain upsides, it comes with significant cybersecurity downsides.

Closing thoughts

As we hurdle towards Q4, financial services tech disruption shows no signs of slowing down. With more and more money moving across the internet at increasing speeds and through varied infrastructures — and soon Web3 — security leaders have more fronts to defend, more regulations to comply with, and more brand reputation risks on their plates than ever before. And these issues will only continue to grow as digital payments become more ubiquitous and offerings like digital lending and securities trading proliferate. This presents significant challenges for payments stakeholders to contend with and is why payments is likely to become one of the most talked about sectors in the cybersecurity world in the years ahead.

About the Author

Norman Comstock serves as a senior leader for UHY Consulting’s Technology, Risk & Compliance group focusing on Cybersecurity Solutions. Additionally, he leads the Enterprise Performance Management  (EPM) practice as part of the Software Solutions group. In this role, he leads a team of solution consultants that help organizations evaluate and utilize the Planful (formerly Host Analytics), Workiva, and Dell Boomi solutions. Norman has more than twenty-five years of experience providing strategic consulting services. Norman can be reached online at https://uhy-us.com/professional/norman-comstock.

Luke Nelson is a Managing Director for UHY Consulting focusing on Cybersecurity Solutions and Technology Risk services. Luke is responsible for providing all aspects of Cyber, Security, and Risk programs inclusive of leveraging new technological advancements, such as artificial intelligence (AI), cloud-based scalability, and advanced mathematical techniques along with optimized visualizations to deliver enhanced decision-making capabilities. Luke can be reached online at https://uhy-us.com/professional/luke-nelson