This website uses cookies to better the user experience of its visitors. Where applicable, this website uses a cookie control system, allowing users to allow or disallow the use of cookies on their computer/device on their first visit to the website. This complies with recent legislative requirements for websites to obtain explicit consent from users before leaving behind or reading files such as cookies on a user’s computer/device. To learn more click Cookie Policy.

Privacy preference center

Cookies are small files saved to a user’s computer/device hard drive that track, save, and store information about the user’s interactions and website use. They allow a website, through its server, to provide users with a tailored experience within the site. Users are advised to take necessary steps within their web browser security settings to block all cookies from this website and its external serving vendors if they wish to deny the use and saving of cookies from this website to their computer’s/device’s hard drive. To learn more click Cookie Policy.

Manage consent preferences

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
Cookies list
Name _rg_session
Provider rubygarage.org
Retention period 2 days
Type First party
Category Necessary
Description The website session cookie is set by the server to maintain the user's session state across different pages of the website. This cookie is essential for functionalities such as login persistence, ensuring a seamless and consistent user experience. The session cookie does not store personal data and is typically deleted when the browser is closed, enhancing privacy and security.
Name m
Provider m.stripe.com
Retention period 1 year 1 month
Type Third party
Category Necessary
Description The m cookie is set by Stripe and is used to help assess the risk associated with attempted transactions on the website. This cookie plays a critical role in fraud detection by identifying and analyzing patterns of behavior to distinguish between legitimate users and potentially fraudulent activity. It enhances the security of online transactions, ensuring that only authorized payments are processed while minimizing the risk of fraud.
Name __cf_bm
Provider .pipedrive.com
Retention period 1 hour
Type Third party
Category Necessary
Description The __cf_bm cookie is set by Cloudflare to support Cloudflare Bot Management. This cookie helps to identify and filter requests from bots, enhancing the security and performance of the website. By distinguishing between legitimate users and automated traffic, it ensures that the site remains protected from malicious bots and potential attacks. This functionality is crucial for maintaining the integrity and reliability of the site's operations.
Name _GRECAPTCHA
Provider .recaptcha.net
Retention period 6 months
Type Third party
Category Necessary
Description The _GRECAPTCHA cookie is set by Google reCAPTCHA to ensure that interactions with the website are from legitimate human users and not automated bots. This cookie helps protect forms, login pages, and other interactive elements from spam and abuse by analyzing user behavior. It is essential for the proper functioning of reCAPTCHA, providing a critical layer of security to maintain the integrity and reliability of the site's interactive features.
Name __cf_bm
Provider .calendly.com
Retention period 30 minutes
Type Third party
Category Necessary
Description The __cf_bm cookie is set by Cloudflare to distinguish between humans and bots. This cookie is beneficial for the website as it helps in making valid reports on the use of the website. By identifying and managing automated traffic, it ensures that analytics and performance metrics accurately reflect human user interactions, thereby enhancing site security and performance.
Name __cfruid
Provider .calendly.com
Retention period During session
Type Third party
Category Necessary
Description The __cfruid cookie is associated with websites using Cloudflare services. This cookie is used to identify trusted web traffic and enhance security. It helps Cloudflare manage and filter legitimate traffic from potentially harmful requests, thereby protecting the website from malicious activities such as DDoS attacks and ensuring reliable performance for genuine users.
Name OptanonConsent
Provider .calendly.com
Retention period 1 year
Type Third party
Category Necessary
Description The OptanonConsent cookie determines whether the visitor has accepted the cookie consent box, ensuring that the consent box will not be presented again upon re-entry to the site. This cookie helps maintain the user's consent preferences and compliance with privacy regulations by storing information about the categories of cookies the user has consented to and preventing unnecessary repetition of consent requests.
Name OptanonAlertBoxClosed
Provider .calendly.com
Retention period 1 year
Type Third party
Category Necessary
Description The OptanonAlertBoxClosed cookie is set after visitors have seen a cookie information notice and, in some cases, only when they actively close the notice. It ensures that the cookie consent message is not shown again to the user, enhancing the user experience by preventing repetitive notifications. This cookie helps manage user preferences and ensures compliance with privacy regulations by recording when the notice has been acknowledged.
Name referrer_user_id
Provider .calendly.com
Retention period 14 days
Type Third party
Category Necessary
Description The referrer_user_id cookie is set by Calendly to support the booking functionality on the website. This cookie helps track the source of referrals to the booking page, enabling Calendly to attribute bookings accurately and enhance the user experience by streamlining the scheduling process. It assists in managing user sessions and preferences during the booking workflow, ensuring efficient and reliable operation.
Name _calendly_session
Provider .calendly.com
Retention period 21 days
Type Third party
Category Necessary
Description The _calendly_session cookie is set by Calendly, a meeting scheduling tool, to enable the meeting scheduler to function within the website. This cookie facilitates the scheduling process by maintaining session information, allowing visitors to book meetings and add events to their calendars seamlessly. It ensures that the scheduling workflow operates smoothly, providing a consistent and reliable user experience.
Name _gat_UA-*
Provider rubygarage.org
Retention period 1 minute
Type First party
Category Analytics
Description The _gat_UA-* cookie is a pattern type cookie set by Google Analytics, where the pattern element in the name contains the unique identity number of the Google Analytics account or website it relates to. This cookie is a variation of the _gat cookie and is used to throttle the request rate, limiting the amount of data collected by Google Analytics on high traffic websites. It helps manage the volume of data recorded, ensuring efficient performance and accurate analytics reporting.
Name _ga
Provider rubygarage.org
Retention period 1 year 1 month 4 days
Type First party
Category Analytics
Description The _ga cookie is set by Google Analytics to calculate visitor, session, and campaign data for the site's analytics reports. It helps track how users interact with the website, providing insights into site usage and performance.
Name _ga_*
Provider rubygarage.org
Retention period 1 year 1 month 4 days
Type First party
Category Analytics
Description The _ga_* cookie is set by Google Analytics to store and count page views on the website. This cookie helps track the number of visits and interactions with the website, providing valuable data for performance and user behavior analysis. It belongs to the analytics category and plays a crucial role in generating detailed usage reports for site optimization.
Name _gid
Provider rubygarage.org
Retention period 1 day
Type First party
Category Analytics
Description The _gid cookie is set by Google Analytics to store information about how visitors use a website and to create an analytics report on the website's performance. This cookie collects data on visitor behavior, including pages visited, duration of the visit, and interactions with the website, helping site owners understand and improve user experience. It is part of the analytics category and typically expires after 24 hours.
Name _dc_gtm_UA-*
Provider rubygarage.org
Retention period 1 minute
Type First party
Category Analytics
Description The _dc_gtm_UA-* cookie is set by Google Analytics to help load the Google Analytics script tag via Google Tag Manager. This cookie facilitates the efficient loading of analytics tools, ensuring that data on user behavior and website performance is accurately collected and reported. It is categorized under analytics and assists in the seamless integration and functioning of Google Analytics on the website.

Top 5 Robust Strategies for FinTech Data Protection

  • 13684 views
  • 10 min
  • Mar 03, 2020
Daria R.

Daria R.

Copywriter

Vlad V.

Vlad V.

Chief Executive Officer

Share

Despite the constantly growing number of cyberattacks worldwide, the Internet Society claims that 95 percent of breaches could be prevented. This means that every company can minimize cyber threats and protect itself and its customers by simply taking a proactive rather than a reactive approach to security. 

If you want to know what this means for a FinTech startup and what best practices you can follow to protect your software and the data it works with, keep reading!

Cybersecurity: the magnitude of the problem

Before we delve into the most effective FinTech data protection strategies, let’s take a look at the latest statistics concerning cybersecurity to estimate the scale of the problem.

fintech data protection

Major FinTech security challenges

The FinTech industry is highly exposed to security attacks. It deals with terabytes of sensitive and valuable financial information like bank accounts, passwords, and identity data. 

This industry is number two in data breaches according to the Q3 2019 Data Breach QuickView Report. There were 263 data breaches in the FinTech sector during Q3 2019, which is only one breach less than in the public administration sector. 

To come up with the most effective security solutions for FinTech, we need to learn what the main security challenges are in this industry. Here are the most vital we need to pay attention to.

#1 Data ownership

Data ownership refers to possessing and being responsible for information. FinTech companies that work with sensitive data have to work out a strict mechanism for regulating who can access, create, modify, benefit from, sell, and remove data, as well as who can grant these rights to others.

Establishing data ownership makes litigation easier in case information is leaked or misused by making it clear who is responsible for the data’s safekeeping. To establish data ownership in your startup, you need to take into account a bunch of technical and legal considerations and make sure the processes of collecting, processing, storing, transferring, and destroying data are compliant with the norms and regulations in your sphere.

#2 Digital identities

One of the biggest FinTech trends for 2022 is going to be the digitalization of financial services and the closing of physical offices. Banks and other financial establishments are working on reliable online mechanisms for verifying identities in order to secure data and effectively manage digital identities. 

To enhance already familiar biometrics technologies, FinTech companies add one-time passwords (OTP) and use adaptive authentication. Adaptive or risk-based authentication checks such data as a user’s geolocation, registered devices, and more in addition to biometric data and one-time passwords.

#3 Management of third-party components

If you want to create software that will satisfy modern customers’ requirements, you’ll likely need to extend the functionality of your product by integrating with third-party payment gateways, analytics systems, social network buttons, external chats, and so on. 

All these external services compromise the security of your product. The first step to managing such third-party components is to minimize their number. 

The next step is to cover the functionality you would add with third-party components by developing those components from scratch. For instance, you can implement your own chat functionality in your product instead of using an external chat service as well as develop your own analytics features. 

When it comes to functionality you can’t implement due to its complexity and high cost (payment gateways, for example), choose the most well-known and reliable vendors. 

Nevertheless, even when you deal with highly secure and reliable third-party components, you still need to regularly monitor them. This means systematic updates, monitoring, and alerts for identified vulnerabilities.

#4 Compliance with security protocols

Startups in the FinTech sphere have to make sure all their processes comply with the regulations and norms of the country or region in which they operate. All after all, the cost of non-compliance is high. In 2017, the overall average cost to organizations for non-compliance with data regulations was $14 million. This includes costs resulting from business disruption, lost productivity, lost revenue, fines and penalties, and other factors. 

So what norms and regulations do you need to follow? Here are the ones that are mandatory for all FinTech companies.

  • The General Data Protection Regulation (GDPR) regulates data protection and privacy in the European Union and the European Economic Area. It aims at protecting EU residents from data breaches and applies to all companies processing the personal data of EU residents, even if the physical location of the company is outside the European Union.
  • PSD2, or the second Payment Services Directive, applies to all EU countries. The directive aims at ensuring the security of electronic transactions and expanding the financial services ecosystem within the EU market. 
  • PCI DSS is the Payment Card Industry Data Security Standard, which is meant to protect customer credit card information and reduce fraud. This standard is mandatory for all companies and organizations that deal with credit card information. 
  • GPG13 is a general data protection act in the United Kingdom that’s compulsory for companies that deal with high-impact data. 
  • eIDAS (Electronic Identification, Authentication, and Trust Services) is an act that regulates electronic identification and trust services for electronic transactions in the European Single Market. 

There are a lot of other acts and standards that regulate how you need to deal with information about employees, finances, investments, and so on. Compliance with all of these requirements can be achieved with services that RegTech companies offer.

How to protect data in your FinTech startup 

Let’s take a look at the latest approaches and techniques that can help you deal with the concerns we’ve mentioned and protect sensitive data within your FinTech product.

#1 Encrypt sensitive data 

Data encryption is the use of complex mathematical algorithms to encode data. To decode this data, special keys are needed. Here are the four most robust encryption algorithms you can use:

  • Advanced Encryption Standard (AES). AES is a symmetric cipher, which means it uses the same key for encryption and decryption. The algorithm uses AES-128, AES-192, and AES-256 block ciphers, which use 128-, 192-, and 256-bit key lengths. A 128-bit key encrypts data in 10 rounds, a 192-bit key in 12 rounds, and a 256-bit key in 14 rounds. Each round includes data substitution, transposition, and mixing. The US government uses AES encryption to protect sensitive and classified data. 
  • Rivest-Shamir-Adleman (RSA). RSA is an asymmetric encryption algorithm that uses different keys for encrypting and decrypting data. The encryption key is public, while the decryption key is private. This encryption algorithm is highly secure. However, it’s slower than other algorithms, and this is especially noticeable when working with large data sets. 
  • Triple Data Encryption Standard (TripleDES). TripleDes is based on the DES cipher. DES is an implementation of a Feistel cipher that uses a 56-bit key to encrypt information. To enhance security, TripleDES applies the DES cipher algorithm three times to each data block. This algorithm is often used to encrypt credit card PINs and other types of passwords. 
  • Twofish. Twofish is a symmetric block cipher that uses data blocks of 128 bits and accepts a key of any length up to 256 bits. There are always 16 data encryption rounds no matter the key length.

Each encryption algorithm has its own peculiarities and is used to encrypt different sets of data. 

#2 Create secure code and a secure architecture

The quality of your application’s architecture and code are vital for its security. Buggy, messy code is easy to hack. If your application has some security issues in its business logic, these issues will be difficult to detect, even with automation tools. The best way to prevent them is to do code reviews and employ pair programming. 

The technology stack you choose for your project also matters. The main programming language for a FinTech startup has to be fast, scalable, reliable, versatile, well-supported, and secure. 

Ruby, for instance, offers a bunch of out-of-the-box capabilities to enhance code security. The Ruby community promotes the Security Development Lifecycle, DRY, SOLID, and other software development principles to make code secure, clean, and easy to work with.

Ruby also offers hundreds of ready-made open-source libraries, called gems, that don’t only save development time and money but can enhance the security of your FinTech product. There are gems for:

  • Secure authentication and authorization
  • Scanning code for vulnerabilities
  • Secure payments
  • Debugging
  • Testing
Twitter, Airbnb, Shopify, Twitch, and Netflix have chosen Ruby for their projects. Read our article to discover five substantial advantages of choosing Ruby for your startup!

#3 Secure authentication

As we mentioned, secure and precise identification and authentication is vital for FinTech software. Apart from OTP and adaptive authentication, you can employ the following approaches:

Role-based access control

Role-based access control (RBAC) is an approach in which access to software and systems is granted according to a user’s role. Each type of role can access only predefined files and systems and is restricted from accessing other parts of the software. 

Password expiration

Not only cyberattacks and malware can cause data leaks and breaches. Human errors and, in some cases, willful actions by employees can also lead to data loss. Systematically changing passwords reduces the risk of data leaks and allows you to protect sensitive data from ex-employees and unexpected accidents. 

Shorter session lifetimes

The session lifetime is the time during which a user can be signed in to the system or program. By reducing the session time, you can minimize the risk of malicious third-party access to a user’s applications from an active session. 

Tracking failed sign-in attempts

Tracking failed sign-in attempts and other suspicious activity allows you to detect and prevent cyberattacks. Set a limit for sign-in attempts and ask for additional (multi-step) identity verification if a user exceeds this limit. 

#4. Tokenization

Tokenization is an approach to securing data whereby meaningful data is turned into random strings of symbols, or tokens. Tokens reference the original data. However, they can’t be used to decrypt the original information unless you have access to a special database. This database, called a token vault, stores the relationships between the original data and the generated token. Without the database, tokens are useless sets of symbols. 

Tokenization is a highly secure method for storing and transmitting data. The most important step here is to protect the token vault. One common way to do this is to encrypt the database.

#5 Code obfuscation

Code obfuscation is an effective way to protect your software from cloning. Program clones look and work very similarly to the original software and aim at gathering users’ personal data. 

Obfuscation complicates the analysis of an app’s source code, makes it impossible to understand how algorithms work, and prevents reverse engineering. 

Parting thoughts

FinTech is a thriving industry for both startups and hackers. That’s why it’s so important to protect your software product and all the information it deals with from the start before an attack happens. 

CONTENTS

FAQ

  1. Among the most significant FinTech security challenges are:

    • Data ownership;
    • Digital identities;
    • Management of third-party components;
    • Compliance with security protocols.
  2. To ensure the security of data in a FinTech startup, you can:

    • encrypt sensitive data,
    • create secure code and a secure architecture,
    • add secure authentication,
    • apply data tokenization,
    • use code obfuscation.
  3. Tokenization is an approach to securing data whereby meaningful data is turned into random strings of symbols, or tokens. Tokens reference the original data. However, they can’t be used to decrypt the original information unless you have access to a special database. This database stores the relationships between the original data and the generated token. Without the database, tokens are useless sets of symbols.

  4. The most secure encryption algorithms are:

    • Advanced Encryption Standard
    • Rivest-Shamir-Adleman
    • Triple Data Encryption Standard
    • Twofish

Authors:

Daria R.

Daria R.

Copywriter

Vlad V.

Vlad V.

Chief Executive Officer

Rate this article!

Nay
So-so
Not bad
Good
Wow
11 rating, average 4.82 out of 5

Share article with

Comments (0)

There are no comments yet

Leave a comment

Subscribe via email and know it all first!