3 Questions for Your Mobile Banking Partner (Part 2)

By: Will Furrer, Senior Vice President – Product Group, Q2  

We pick up this blog series, addressing the last two questions your credit union should be asking a digital strategy company when developing a mobile banking plan.

Check out Part 1 of the blog series here to learn about the importance of providing a consistent experience on mobile.

Question 2: How does security work for the mobile channel?

Mobile security is a becoming more and more critical every day.  Due in large part to the fact that today’s mobile devices are essentially hand-held computers. As such, the risk of device compromise is something every member, and you as a credit union, should be keenly sensitive too.

Because of this, the security of your mobile banking solution can’t simply be the ‘latest and greatest’ protection available; it must be ahead of the times – using advanced techniques only behavioral modeling and machine learning can support.

Interconnectivity & Behavioral

Mobile banking is not the only type of digital banking your members will do, therefore, it is critical that your mobile security be part of a holistic view of each member’s behavior within your entire digital banking ecosystem.

A comprehensive picture of members’ behaviors across all your virtual channels, which answers questions such as: What operating system are they using for their banking? What time of day do they usually do their banking? What do their typical movements through the application look like?

The power of interconnected solutions – or better yet – of a single platform solution, are very much aligned with credit unions seeking to be the most trusted, secure brand their members engage with. 

Click for Q2 Case Study — Efficiency

Question 3: Does your mobile banking application provide support for commercial banking members?

As the majority of forward leaning credit unions seek to meet their members where they are, the need for small business features and functions available via the mobile channel is becoming increasingly important. Small businesses—a.k.a. SoHos— are making their way into the households of millions of Americans every year, who prefer to bank with a credit union due to the service, support, rates, and connection to the community where they live and work. However, neglecting their mobile business banking needs will in fact put the business of these profitable households in jeopardy over the coming years.

Feature / Function

Small and medium businesses (SMBs) require access to ACH for payments and payroll. Sometimes it’s only a few people, but more and more frequently SMB owners are using their personal accounts; meaning they are moving larger and larger amounts of money to more and more employees or contractors.

The great news is: your credit union can work with the SMB’s relationships to provide accounts for these potential members. It’s a win/win.  A win for the owner of the SMB—who is now able to manage their payroll via their mobile device, as well as approve wires and draft payments, which is what they expect from a progressive credit union like yours. And a win for your credit union in the form of new members.

Conclusion

Above all else, offering a business banking solution via mobile devices will provide your members the same freedom they have come to appreciate with your retail banking products—expanded to where they make their living, not just where they check their balances. Mobile commercial banking access is a clear separator for innovative credit unions, one that will benefit you and your members.

 

Q2 is the NAFCU Preferred Partner for Single Platform Virtual Banking Solutions—Including Online and Mobile—for Community and Regional Financial Institutions. Learn more about Q2 by visiting www.nafcu.org/q2.

What Biometrics Can Do for Your Credit Union’s Security Strategy

Woman with fingerprint scanningIf you feel like there is always another security measure you need to consider, you’re right and this reality is actually a very good thing. The security landscape is indeed continuously changing and evolving.

You must constantly evaluate and revaluate your security processes because one single solution to satisfy all of your security concerns and needs does not exist.  Consequently, it’s wise to employ a multi-factor security (MFA) strategy.

Chris Amador, Product Owner with Q2, talked about the balancing act that your credit union faces when implementing biometrics solutions, in our recent webinar, “Biometrics: Enhancing Member Experience & Security.” He spoke about the challenges your credit union faces with providing secured online and mobile channels that guarantee compliance with regulations and deliver a satisfying experience for your members.

Watch Biometrics: Enhancing Member Experience & Security


We’re sharing some key highlights from the webinar and encourage you to watch the complete presentation where Chris shares timely insights on:

  • The different types of biometric solutions currently used within the financial services industry
  • What true multi-factor authentication (MFA) means and why the “third factor” is difficult to solve
  • The preferred biometric solution for online use among consumers
  • Barriers you need to consider when implementing biometrics features
  • How to evaluate whether or not your membership is ready to accept this technology

What is a True Multi-Factor Security Strategy?

A true multi-factor authentication (MFA) security strategy should include three key factors:

  • Something I “have” (e.g., your member’s laptop or mobile device like a tablet or a smartphone)
  • Something I “know” (e.g., your member’s user ID and password, pin, account number, or knowledge based questions)
  • Something I “am” (e.g., your member’s biometric data, a physical or behavioral attribute unique to your individual member)

You and your members are familiar with the “something I have” and “something I know” categories,  but those two factors alone have limitations in today’s complex security environment.

The physical devices your members use, whether it’s a laptop, a tablet, or a smartphone were considered as an integral layer of security, but this is no longer thought to be true because these devices can be stolen. And, due to the rise of social media, your members may post all sorts of information that can be used by fraudsters to determine the correct answers to security questions. As an example, online quizzes on social media (e.g., Buzz Feed) can be used as tools for fraudsters to phish for information.

The “something I have” category is only available through the implementation of biometrics. Biometrics are an effective third-factor in a MFA security offering for your members because they utilize something fraudsters can’t duplicate, the unique personal and physical identifiers of your members.

It’s important to consider and assess to what degree your members will be comfortable and willing to adopt biometric security measures. Continue advancing your knowledge about these options and the biometrics landscape, by watching “Biometrics: Enhancing Member Experience & Security.

Q2 Online and Mobile Banking

Q2 is the NAFCU Services Preferred Partner for a single platform virtual banking solution, including online and mobile. Learn more about Q2 by visiting www.nafcu.org/Q2.

Become a Vendor Assessment Jedi Using the NIST Cybersecurity Framework

Written by Randy Lindberg, Founder and Managing Partner with Rivial Security (A Quantivate Partner)

Computer bound with chain and padlockThere are some ordinary steps that you can take to assess vendor due diligence. But, you don’t want to be ordinary…

To be a Vendor Assessment Jedi, use the NIST Cybersecurity Framework, you must!

Vendor due diligence is the process of ensuring that the use of external IT service providers and other vendors does not create unacceptable potential for business disruption or negative impact on business performance.

To accomplish the objective of vendor due diligence, your credit union needs to:

  • Gather company details such as ownership specifics, company size, products offered, and location
  • Understand the company’s financial position, or rather, is this vendor financially stable enough to service your needs for at least 1 to 2 years
  • Know if the vendor will live up to their promises in terms of reputation via BBB ratings, CFPB complaints, and reference checks
  • Know how well the vendor is going to protect your data

Vendors that provide IT Services have additional due diligence requirements, your credit union needs to:

  • Make sure that contract language includes information on the right to audit, data security measures, and data ownership
  • Define specific security considerations and incident response procedures. Additionally, for cloud-based IT service there are additional data security questions that need answers (cloud-based IT service that the NIST 800-145 definition is referred to in FFIEC guidance1)

Ultimately, your credit union, as the entity responsible for assessing vendor due diligence, must understand the vendor’s cybersecurity stance. How do you determine a vendor’s cybersecurity position? You can request an audit of their security controls, which typically comes back in the form of an SSAE 16 report.

SSAE  stands for “Statement on Standards for Attestation Engagements.” The SSAE 16 is delivered in the form of Service Organization Controls (SOC) reports. There are several report types, but the two most common and important are:

  • SOC 1 Type 2, which reports on the design and effectiveness of internal controls over financial reporting; and
  • SOC 2 Type 2, which reports on the design and effectiveness of “trust service principles” such as security, confidentiality, and availability.

In most cases, the SOC 2 Type 2 is the best report for assessing cybersecurity. The SOC 1 report, however, is the most commonly used report. Not all SSAE 16 reports are the same because there is discretion as to which and how many of the five (5) trust services principles are actually examined and reported on during a SOC 2 engagement. You have to dig into some details to understand what is being reported.

For example, if an IT Service Provider has a SOC audit performed on their corporate network, but outsources application development and data center hosting, you’ll essentially be left with a meaningless document.

The ordinary steps used to perform a SSAE 16 review are:

  • Pinpoint findings without adequate management responses
  • Provide complementary user entity controls to system owner and/or IT

But, you want to be extraordinary. By using the NIST Cybersecurity Framework in the following way, you can become a Vendor Assessment Jedi:

  • Review the description of the vendor’s system addressed in the SSAE 16 report
  • Search for “subservice” to find the section where subservice organizations (i.e., any businesses that your vendor contracts with/outsources) are described
  • Use function, category, or subcategory (depending on your technical expertise and comfort level) to ensure control objectives are covered

NIST Cybersecurity Framework Core Example

NIST Cybersecurity Framework Core Example

Using the partial image above, you could search through the SSAE 16 report in a structured manner using the Framework as a guide.

If you use the “subcategory” component of the Framework, you would check the vendor’s report for a control objective that outlines “Response plans incorporate lessons learned” (as highlighted in the example above) or something very similar. If there is sufficient content in the report, you can mark that subcategory is ‘in place’ in your vendor cybersecurity assessment tracking documentation.

Using the NIST Cybersecurity Framework, in this way, to walk through vendor security audit reports provides a useful and efficient method to review vendor security controls.

To learn more about using the NIST Cybersecurity Framework to ensure proper vendor due diligence, register for the upcoming webinar, “Assessing Vendors Using the NIST Cybersecurity Framework,” presented by Randy Lindberg and Dan Banning, Director of Marketing at Quantivate.

Here are some additional resources for you to reference in the process of becoming a Vendor Assessment Jedi at your credit union:

Quantivate Logo
Quantivate is the NAFCU Services Preferred Partner for Vendor and Contract Management. Quantivate partners with Rivial Security to deliver cost-effective data security solutions that enable organizations to protect sensitive data, comply with industry standards, and gain a competitive advantage. Additional educational resources and contact information can be found at www.nafcu.org/quantivate.

We’re Embedding Our Best Technology in Apple Pay… and Into All Digital Transactions

Originally posted on Cashless Pioneers blog

Guest post written by James Anderson, Group Head and SVP, Mobile and Emerging Payments, MasterCard

James Anderson_MC

MasterCard is the NAFCU Services Preferred Partner for Credit, Debit, and Prepaid Branded Products.

In bringing Apple Pay to consumers, Apple wanted to deliver the highest quality transactions possible. So who did they turn to? Those who’ve built the scalable payment infrastructure that is the envy of others – MasterCard.

We believe that payments should always be a simple proposition to the consumer – but once you get under the hood, there’s a very sophisticated network in place that enables any of us to walk into a store and make a purchase – trusting that our cards will work as we expect them to. We realize that consumers don’t care about that – but what they do want to know is that their information and their money are secure.  Through the work that MasterCard did with Apple and with the active engagement of the first four issuers – we’ve delivered the most secure combination of technologies that we’ve ever deployed:

Phones_MC

Top Things to Know About Apple Pay and the Security of Our Digital Payments Platform:

1. Apple Pay Transactions Will Work Just Like Any Other MasterCard Transaction

Transactions that originate from Apple Pay will work the same as any other MasterCard transaction. The consumer will see the card they wish to use in their iPhone from the issuer that they are used to doing business with, the merchant sees a MasterCard transaction – either the familiar contactless form in store or Digital Secure Remote Payment for in-app. Apple is never in the transaction path.

Read more