Well, if your fintech is going to handle/store credit card data, you need to be PCI compliant. This certification is tough. You need to put a lot of security policies in place like:
You can't access a "PCI" database using an external connection/interface unless you have a DBA in place. This could b
Every time you add an external connection to your PCI Environment, you need to increase the scope (it means doing a lot of validations)
There a lot of password policies (Reset them every 60 days, log out automatically every 7 days, etc)
Networking policies are the hardest one.
You need to do risk assessments for every environment that could interact with your PCI environment.
There a lot of rules, it could take like 6 months to get PCI certification over "mid complex" environment.
Also, most times, fintech handles a lot of sensitive data, this is not only related to fintechs but any sensitive project. So, we have architecture design rules for storing/handling this data.
For example, if you need to create reports or any process using sensitive data, we do it using microservices, we create an isolated environment that will be in charge of accessing to that data in order to execute a process. It is totally separated from our core system, no-one is able to access to it except that sensitive-mircroservice. So, if you main core is compromised, your sensitive data will be safe, of course, at the beginning is going to be hard to debug because you need to do manual process/controlled process in order to check the data.
Most important, Encryption, for sensitive data we use a lot of encryption, it is important to no re-invent the wheel, you can use services as AWS KMS (Key Management Service), it provides a lot of features regarding data encryption and security.
What are examples of security-measures you have to take, that wouldn‘t be necessary in a non-finance-area.
Well, if your fintech is going to handle/store credit card data, you need to be PCI compliant. This certification is tough. You need to put a lot of security policies in place like:
Also, most times, fintech handles a lot of sensitive data, this is not only related to fintechs but any sensitive project. So, we have architecture design rules for storing/handling this data.
For example, if you need to create reports or any process using sensitive data, we do it using microservices, we create an isolated environment that will be in charge of accessing to that data in order to execute a process. It is totally separated from our core system, no-one is able to access to it except that sensitive-mircroservice. So, if you main core is compromised, your sensitive data will be safe, of course, at the beginning is going to be hard to debug because you need to do manual process/controlled process in order to check the data.
Most important, Encryption, for sensitive data we use a lot of encryption, it is important to no re-invent the wheel, you can use services as AWS KMS (Key Management Service), it provides a lot of features regarding data encryption and security.
If you have any other question, feel free to ask.
Thanks! Very insightful.
I'm a bit interested in security-implications in fintech ever since that sh**show that was N26 in Germany, security-wise.
Oh, I didn't know about that issue, very interesting lecture.