Significant advances in cybersecurity are being made in the APAC region. Australia released an international cyber security strategy in October 2017, which sets out an approach for the next three years. The strategy, which has a budget of AUD230 million, outlines seven key themes underpinning Australia’s regional approach to cyber security: digital trade, cybersecurity, cybercrime, international security, internet governance, and cooperation. In order to address cybersecurity threats, the Indian Government has launched Cyber Swacchta Kendra in February 2017. This is a desktop and mobile security solution for botnet cleaning and malware analysis. Further, in January 2018, the Government launched the Cyber Surakshit Bharat initiative, which aims to protect and safeguard data. The initiative is a partnership with technology companies including Wipro, Microsoft, Intel, Redhat, and Dimension Data and is the first public-private partnership of its kind.
As part of its cybersecurity strategy, Singapore has implemented several initiatives. Security by design will be an important focus area of the strategy. A Cyber Act was launched in November 2017 to provide a legal framework for cybersecurity in the country.
On 1 March 2017, the NYDFS announced cybersecurity rules designed to promote the protection of customer information and IT systems of regulated entities. Such regulations are expected to be announced in other states of the U.S. in the coming months. On 1 June 2017, China’s new cybersecurity law came into effect. The law focuses on cybersecurity, data security, and cross-border data transmission.
As an update to its 2013 cybersecurity strategy, the European Commission adopted a cybersecurity package on 13 September 2017. Aimed at improving cyber resilience, the package expands the role of the European Network and Information Security Agency (ENISA), the EU agency for cybersecurity. The package provides support to member nations implementing the Network and Information Systems (NIS) Directive and help in developing a comprehensive pan-EU framework for cybersecurity.
The Web Payments Working Group, a part of the World Wide Web Consortium (W3C), has launched a Payment Request API that allows browsers to act as an intermediary between three parties in a transaction: the payee, the payer, and the payment method provider. The API is supported in Chrome, Edge, and Samsung Internet, and in development in Firefox and Safari. Several firms are adopting the API, including the New York Times, the Washington Post, and Monzo.
Efforts are under way to embed the EMV 3D Secure (3DS) standards in web browsers. The EMV Three-Domain Secure (3DS) is a messaging protocol developed by EMVCo to enable consumers to authenticate themselves with their card issuer when making CNP e-commerce purchases. A working group has launched a 3DS Task Force to lead the development.
With the proliferation of online payments, robust internet payment security is a necessity. Governments and regulatory bodies across the globe are implementing security procedures that emphasize SCA. The EU’s RTS, that detail SCA are expected to be implemented fully in H1 2019. This, in conjunction with the GDPR, will help to strengthen payments security in the EU. However, the final draft of the RTS is still in review and the Standards are expected to enter into force around April-May 2019.Also in Europe, from 2018, online shoppers will need at least two independent items to confirm their identity in order to make a payment. One would be a physical item, such as a card or mobile phone, the other a password or biometric feature such as a thumbprint.
The PCI Security Standards Council has announced a new standard that focuses on software-based PIN-entry on commercial off the shelf (COTS) devices, such as consumer-grade mobile phones or tablets. The standards are an addition to other PCI security standards that apply to ‘PIN on glass’ technology by addressing glass devices such as tablets and other touchscreen-based devices used for mobile payment acceptance. The requirements have been developed for solution providers to use in developing secure solutions that enable EMV contact and contactless transactions with PIN entry on a merchant’s consumer device using a secure PIN entry application in combination with a secure card reader for PIN (SCRP).