SOOS

Modern AppSec

The Importance of Application Security for Businesses Using Payment Processing

Developers

Modern businesses use payment processing systems for a variety of reasons, from customer convenience to integration with other software like accounting software, customer databases, and sales platforms. In fact, the payment processing solutions market is on pace to reach over $190 billion by 2030, with thousands of payment processors offering software and services to do things like process online credit card payments. 

Though widely accepted as a part of doing business by businesses of all sizes, these online processing systems come with significant risks for businesses to mitigate. These risks are especially challenging for small to mid-sized businesses that don’t have the resources of billion-dollar companies to invest in cyber security. And for companies providing the software to these retailers, cyberattacks can be devastating, costing lost business and a damaged reputation that can be difficult to rebuild.

So, what can businesses do to protect themselves, and their customers, from online attackers? Let’s first look at the broader landscape of cyberattacks on financial services and financial technology companies to understand what’s at risk and then dive into practical measures businesses can implement to protect themselves from cyber attacks.

Payment Processing Software Cyberattacks Are Frequent

Companies that provide payment processing systems are high-value targets for cybercriminals due to the large volume of financial transactions they handle. Cyberattacks on these companies occur frequently, with financial services companies (including payment processors) experiencing 300 times more cyberattacks than other industries. Hackers regularly target payment processors through data breaches to steal credit card information, ransomware attacks to lock systems and demand payment, and credential stuffing to hijack accounts using stolen passwords.

Given the average cost of a data breach is $4.88 million (per IBM) and payment fraud losses are expected to exceed $40 billion globally by 2027, software security is a risk that businesses providing or using payment services simply can’t ignore.

Examples of Cyberattacks on Payment Processing Companies

History has shown the importance of application security for payment processing. A few of the many examples of costly breaches include:

1. Global Payments Breach (2012) – 1.5 Million Cards Exposed

  • What happened? Attackers accessed the servers of Global Payments, a major payment processor, and stole cardholder data.
  • Impact: The company lost its PCI compliance, faced legal actions, and suffered reputational damage.

2. Target Data Breach (2013) – 40 Million Payment Cards Stolen

  • What happened? Attackers compromised Target’s POS system by using stolen credentials from a third-party HVAC vendor.
  • Impact: Payment details of 40 million customers were stolen, leading to $18 million in settlements.

3. Equifax Breach (2017) – 147 Million Affected

  • What happened? A web application vulnerability in Equifax’s system allowed attackers to steal names, social security numbers, and credit card details.
  • Impact: One of the largest financial data breaches, resulting in $700 million in fines and settlements.

4. Wawa POS Malware Attack (2019) – 30 Million Card Details Issued by About 5,000 Financial Institutions Were Stolen

  • What happened? Hackers breached Wawa’s point-of-sale (POS) systems and installed malware on its payment terminals, allowing them to steal credit and debit card data from its nearly 850 locations for a period of nine months.
  • Impact: Card details were sold on the dark web, leading to fraudulent transactions worldwide, and WaWa had to pay a $28.5 million settlement to several financial institutions.

5. Marriott Hotels Cyber Attacks (three data breaches between 2014 and 2020) – Passport Numbers and Personal Information Was Exposed for 344 Million Customers

  • What happened? A vulnerability in outdated software and overall failure to implement reasonable data security practices led to three large data breaches from 2014 to 2020, exposing personal information including passport and social security numbers of more than 344 million customers worldwide.
  • Impact: Marriott’s data breaches significantly impacted the company’s reputation, leading to a drop in stock price, customer loyalty concerns, scrutiny about security practices during the acquisition of Starwood, where the vulnerability originated, and substantial legal costs due to the exposure of sensitive customer information like passport numbers and credit card details. In addition, the FTC ordered Marriott to pay $52 million to settle the resulting class action lawsuits.

6. Payment Processor ACI Worldwide Data Leak (2023) – 8.2 Million Transactions Exposed

  • What happened? ACI Worldwide accidentally reran 8.2 million transactions, exposing sensitive payment data. Although this type of incident might initially appear as a procedural error rather than a traditional cyberattack, it still has significant cybersecurity implications. Cybersecurity isn’t only about unauthorized access (confidentiality), but also about ensuring data integrity and availability. Accidentally reprocessing transactions suggests a failure in data integrity—transactions must not be duplicated or incorrectly processed.
  • Impact: Led to unauthorized charges and compliance investigations.

Payment systems store and transmit sensitive customer information, making them attractive to attackers looking to commit fraud or sell stolen data. Because of this, both companies that use payment processors and companies that sell products that handle payment processing are prime targets for cyberattacks. Given the prevalence of cyberattacks, many retailers, financial institutions, hospitals and other businesses that use payment processing software are requiring more robust security practices, and that’s where application security comes in. 

Software Security Best Practices for Payment Processing

Application security is a set of practices that protect software applications from threats and vulnerabilities throughout their lifecycle, including development, deployment, and operation, by identifying and fixing security weaknesses in an application to prevent unauthorized access, data breaches, and code manipulation. Application security tools help companies that use payment processing in their software by protecting sensitive financial data and ensuring compliance with industry regulations like PCI DSS (Payment Card Industry Data Security Standard). 

Application Security does what many refer to as reducing a company’s attack surface, which means minimizing the number of entry points that attackers can exploit to compromise an application. The attack surface includes all the ways an attacker could attempt to gain unauthorized access, steal data, or disrupt operations. By reducing it, you lower the risk of cyber threats and make it harder for attackers to find and exploit vulnerabilities.

Companies providing payment processing services must implement strong application security measures to protect sensitive financial data, prevent fraud, and comply with industry regulations like PCI DSS. Application security best practices for companies providing and using payment processing software include:

1. Implement Secure Coding Guidelines and Best Practices

One of the best ways a company can protect itself from cyberattacks is by building a security-first mindset into its culture, so that all employees take ownership of cybersecurity best practices. This includes, but is not limited to, software engineering and information security teams who are often at the center of ensuring software they create meets security standards. 

It’s best practice for companies to establish and enforce secure coding guidelines based on industry standards like OWASP Top 10 and MITRE’s CWE Top 25 to mitigate common vulnerabilities such as SQL injection, XSS, and buffer overflows. Developers should follow secure frameworks, use parameterized queries, and validate user input to prevent code exploitation. Ensuring the principle of least privilege (PoLP) for authentication and authorization further minimizes attack risks. There’s a lot more involved in implementing secure coding practices as an organization, however, what’s important to note is that this is the start of reducing a company’s risk.

2. Utilize Encryption and Secure Data Handling

Within the software applications themselves, protecting sensitive information is critical, especially in payment processing applications. Companies should encrypt data in transit and at rest using TLS 1.2+ and AES-256, securely store credentials using bcrypt or Argon2, and implement tokenization to replace raw payment data. Properly securing API endpoints with OAuth 2.0, API keys, and rate limiting further reduces exposure to attacks.

3. Integrate Application Security Tools and Automated Testing

Application security tools ensure organizations can catch issues before hackers know about them, ideally before they even go live. With Software Composition Analysis (SCA) and Static Application Security Testing (SAST) tools, companies can catch vulnerabilities early in development by looking at how software is built and identifying weaknesses and known vulnerabilities in their code that can be exploited by malicious actors. With Dynamic Application Security Testing (DAST), companies can scan applications for vulnerabilities while they’re running, like authentication and server configuration errors, code injection, insecure session management, improper input validation, and more. 

When companies integrate SAST, DAST, and SCA directly into their CI/CD pipelines, it makes it easier for developers to ensure software meets security standards before it’s deployed to a live environment. This is because with unlimited scanning like SOOS provides, application security tests can run with all automated tests that run whenever new software is committed. That way, developers don’t have to think about or manually do anything to check their code for security issues.

4. Secure Your Software Supply Chain and Third-Party Integrations

Third-party services and software integrated into payment systems can introduce security flaws if not properly vetted and monitored. That’s why automating and securing your software inventory is key.

Modern software relies on external components, which create numerous potential entry points for attackers. In addition, 90% of codebases contain open source software, which speeds up software development, but also exposes companies to risks when they’re not aware what the software they’re using contains. Companies may depend on third parties to provide some software; however, they don’t have to trust their software security to others. 

Instead, companies can do what’s known as securing their supply chain. Put simply, this refers to the process of identifying and mitigating security risks in all of the tools, components, and third-party code used, as well as a company’s own first-party software. Securing your supply chain, or all of the components in your software, also known as your software inventory, starts with understanding all of the software you’re using, confirming there are no known vulnerabilities present and/or identifying and resolving any issues, and then regularly scanning applications to ensure there haven’t been updates that have introduced new weaknesses. For a more detailed breakdown of this process, see the next section. Or skip ahead to how SOOS can help.

How to Secure Your Software Supply Chain

The first step to securing your software supply chain and ensuring your payment processing software is protected from vulnerabilities is to create a complete software inventory, often culminating in a Software Bill of Materials (SBOM). The machine-readable artifact of the Software Composition Analysis (SCA) process is called an SBOM–a detailed list of all the components, libraries, dependencies, and third-party software used in an application. It acts like a formal ingredient list for software, providing transparency about what is inside a system. SBOMs are important for payment processing services because they help you:

1. Learn About Potential Issues Quickly

Payment processing applications rely on third-party software, APIs, and open-source libraries, which can introduce security vulnerabilities. An SBOM helps identify outdated or vulnerable components (e.g., Log4j vulnerability) before attackers exploit them. By maintaining a clear inventory of software components, companies can patch vulnerabilities faster and reduce the attack surface.

2. Ensure Fast Incident Response and Risk Management

If a security vulnerability is discovered in a widely used software component, companies with SBOMs can quickly assess their exposure and respond effectively. Without an SBOM, identifying where a vulnerable dependency is used across multiple applications can be time-consuming and increase security risks.

3. Reduce Third-Party Risk

Since payment processors integrate with multiple third-party services and APIs, SBOMs help evaluate vendor security by ensuring that external software components meet security requirements. This reduces the risk of supply chain attacks, where attackers exploit a weak third-party component to gain access to sensitive payment data.

4. Demonstrate Regulatory Compliance

Many financial and cybersecurity regulations, such as PCI DSS, GDPR, the EU CRA, and Executive Order 14028 (for U.S. federal software security), emphasize software transparency and risk management. SBOMs provide a structured way to demonstrate compliance by documenting the software supply chain and ensuring no unauthorized or insecure components are in use. In the case of an incident, businesses using SBOMs and application security practices can easily provide documentation showing the steps taken and efforts deployed to secure software. This doesn’t prevent attacks but it does reduce the impact of attacks on lost business and reputation damage.

Getting Started

Cybersecurity is a tough job. A majority of cybersecurity professionals report being stressed due to the constant nature of cyber threats, and it can be overwhelming to know where to start and where to stop with your security practices. After all, businesses still need to do their primary business work and can’t be focused 100% on mitigating threats. That said, there are actionable steps businesses can take to better protect themselves in a matter of hours, without relying on manual work to find potential issues. SOOS provides a robust application security platform tailored to the unique needs of payment processors and companies using payment processing software. SOOS stands out because of how comprehensive, easy to use, and affordable it is. In fact, it’s the only application security platform that puts no limits on scans and scans deep into your software application’s dependency tree, so you can scan on every commit and scan deep enough to find issues other tools miss. Add to that the fact that you can be set up and using SOOS in under an hour, with business rules tailored to your software to eliminate noise from irrelevant alerts, and it’s easy to see why teams love SOOS. 

You don’t have to take our word for it, though. Try SOOS for free today and discover:

1. Comprehensive Vulnerability Scanning

SOOS’s patented Software Composition Analysis (SCA) scans deep in an application’s dependency tree to find vulnerabilities that other tools miss. Detecting and addressing risks in codebases is second nature with unlimited scans that you can set up to run on every commit, or at a frequency of your choosing using SOOS’s lightweight scanning agent. And with support for all major languages, you can be confident you’ll catch issues as soon as possible.

2. Seamless CI/CD Integration

By integrating with continuous integration and deployment pipelines, SOOS ensures that security is embedded in every stage of the development process, aligning with shift-left practices that guide teams to constantly be verifying software is secure so that issues don’t make it to live software that can be exploited.

3. Supply Chain Visibility

SOOS generates detailed Software Bills of Materials (SBOMs) in CycloneDX and SPDX formats, giving organizations using payment processing software full visibility into their software dependencies for software they create and software they require to build their applications, but didn’t create. Automatically creating and maintaining an accurate software inventory is an essential part of mitigating cyber risk and SOOS makes it easy by doing it for teams automatically and by integrating SBOMs with other application security and developer tools so that if issues are found, tickets can be created in issue managers, related issues can be detected and grouped for streamlined remediation, and issues can be addressed promptly.

4. Risk Prioritization

SOOS uses several criteria to rank vulnerabilities by severity and potential business impact, providing actionable insights that enable companies to focus on addressing the most critical risks first.

5. Unlimited Scans at a Flat Rate

Many companies using payment processors are small and mid-sized retailers without the budgets of enterprise software as a service companies. Whether a company is operating on a tight budget or not, SOOS’s flat-rate pricing for unlimited scanning ensures you don’t have to compromise quality for cost.

6. Regulatory Support

SOOS simplifies compliance efforts by offering detailed reports and traceability for audits, making it easier for fintech companies and retailers using payment processing services to align with PCI DSS, SOC 2, ISO 27001, and other regulations.

7. Fast Implementation

SOOS can be set up and customized to your business in under an hour, so you can start securing your applications quickly and without disrupting workflows. Even better, get peace of mind with the industry’s best support. SOOS responds to questions and requests in hours, not weeks, and the SOOS platform is so easy to use that while you can always talk to our team for extra support, you likely won’t have to.

Application Security for Payment Processing is Essential, and Doable

While payment processing platforms and services are particularly vulnerable to cyberattacks, businesses can protect themselves without dedicating significant time or money implementing complicated security tooling and practices. In particular, starting with revisiting current and implementing robust application security practices can give businesses quick insight into potential cyber risks with the tools needed to resolve current weaknesses and stay on top of future issues.With application security for payment processing, companies can protect sensitive customer payment data, demonstrate compliance with industry standards like PCI DSS, and build customer trust. To learn more about how SOOS protects companies that rely on payment processing, reach out to talk to our team.

Check out more articles

6 Dependency Management Tips for Developers

6 Dependency Management Tips for Developers

Exploring DevSecOps

Exploring DevSecOps

Managing OSS for Mergers and Acquisitions

Managing OSS for Mergers and Acquisitions

DevOps Pipeline Security

DevOps Pipeline Security

DevOps Is: Atlassian

DevOps Is: Atlassian

DevOps Is: (AWS) Amazon Web Services

DevOps Is: (AWS) Amazon Web Services

What is DevSecOps

What is DevSecOps

DevOps is Series: Jez Humble

DevOps is Series: Jez Humble

Shifting Security Left

Shifting Security Left

DevOps is: The Agile Admin

DevOps is: The Agile Admin

Sooster

Don’t ignore your open
source code any longer

Sign up now