2C2P | Application Security 101 for Digital Payments
600x654 4

Application Security 101 for Digital Payments

History has taught us well.

Today, security in the world of digital applications follows the same strategy that protected many medieval castles and fortified cities.

Defence in depth is the name given to this principle, where many lines of defence - moats, ramparts, high walls, battlements, towers, and all - were constructed to shield the monarch who dwelled within.

The security measures used to safeguard your applications today are no different. As the Director of Products at 2C2P, part of my job is to work with my team to set up multiple lines of defence to secure your data and personal information when you set up digital payments with us.

In this article, I will walk you through the ins and outs of what we do to ensure application security at 2C2P. I’ll also share some of the most common threats we look out for in our fight against fraud and other security hazards.

What is application security?

In a nutshell, application security is the practice of securing the data flow of applications. This is different from your generic network and security issues. When we say ‘data flow’, we explicitly refer to the flows of data between 2C2P, our merchants, banks, and agencies.

With so much data passed to and from different points, we need to secure all of it. To help you visualise how this whole network works, consider your home Internet setup.

Let’s say your network is super secure - you’re a go-getter with top-notch antivirus software, plus you always keep your software and drivers up to date. But maybe your passwords are simple and easy to guess. This means that they are at risk of being exposed to potential hackers.

And here’s where application security comes in. When the developers and architects are building applications, they must also be conscious of the data that they handle. Sensitive information should never be displayed and must always be encrypted or masked.

This scenario is different from server and network security, which focuses on establishing the server’s immunity to hacking. Proper defences must be set up to prevent unauthorised people from easily accessing this server.

Now that you have a basic understanding of application security, let’s look at some of the critical threats it defends against.

What are the main types of security threats?

We broadly divide security threats into two separate categories: external and internal. Allow me to walk you through each of these categories and how they work.

External threats

Let’s start with external threats. When we see this term, it’s easy for us to assume that the attacker is always someone unrelated to the transaction. However, that’s not true at all. Our customers can also become threats, especially when they are defrauded.

Public education is, of course, essential to teach customers how to protect themselves. But at the same time, we need to put up safeguards to reduce the occurrence of such cases. The biggest challenge for us is to figure out a failsafe way to build these safeguards.

Like everyone else working in the security space, we’re always trying to keep up with the hackers and scammers. Hacking and scamming have become very sophisticated in the digital age. So organisations and businesses need to think ahead and anticipate all possible traps that may arise to ensnare them.

Internal threats

Apart from external threats, we have internal ones that arguably pose a higher risk. After all, the internal staff are experts intimately familiar with the relevant security systems - they know how things work and are aware of all the possible loopholes.

Application security is thus essential to defend against internal threats, as it puts up the necessary safeguards that prevent even system owners themselves from hijacking their own security system.

The first step is to mask all sensitive data on display like passwords and card details as well as encrypt or hash them in transit and at rest (when stored). When any of our staff attempt to diagnose any issues that may arise, the transaction logs would not disclose any of this information to them.

Our next step is to restrict access rights. This applies to information that isn’t strictly sensitive, but is still sensitive enough to warrant restricting access to certain people. Examples of such information are name, address, and email - these nuggets of information are protected by the Personal Data Protection Act (PDPA).

In 2C2P, different teams have different levels of access to information. Some only have access rights to local information, while others are allowed to handle data on a regional level. Even if you have the highest access authority in 2C2P, there are still some actions that you’re not authorised to perform.

At the same time, we need to be realistic. Implementing security measures is vital, but it’s not viable to activate all of them due to cost, resourcing issues, and business needs. After all, increasing your security often means reducing convenience as a trade-off. That’s why we need to discern which measures to invest in and accept the opportunity costs incurred as a result.

Basically, you can’t be 100% secure - your business won’t be able to function when too many security measures restrict it!

Now that you have a clearer picture of the threats we grapple with in application security, I can show you the lines of defence that we build to counter them.

The lines of defence in application security

In application security, we set up three core lines of defence for every party involved in the digital payment process: merchants, customers, and acquirers.

Each wall is reinforced with an arsenal of tools and protocols to fortify them against all security threats robustly.

Read on to learn about the lines of defence that we build at 2C2P:


On the merchant front, our defences specifically target the API calls that merchants make to 2C2P. There are many libraries through which merchants can make these API calls, and it is these very libraries that we protect against attackers.

At 2C2P, we enable a wide range of security protocols, such as encryptions, hashing signatures, JSON Web Tokens (JWTs), mutual TLS (mTLS) and Commons HTTPS. All these tools work together to authenticate and verify the integrity of the requests to the APIs.

2. Customers

Ever entered a website that looks exactly like your bank’s? Aside from a few odd-looking characters in the URL, nothing else tells you that the website is spoofed. Financial players often have to mitigate such incidents to protect customers from sharing sensitive information.

Internally, we run checks on the customer journey and flow to reduce the risk of customers getting scammed. We also advise merchants on best practices to protect their customers. We would recommend the most secure integrations to merchants, get them to ensure the consistency of their UI, and also advise them not to ask for sensitive information unless absolutely necessary.

Third Parties

Lastly, our crucial area of concern lies in the transaction flows between third parties like kiosks and convenience stores - for alternative payments - to acquirers and payment gateways like 2C2P.

Under such scenarios, the customer might take a longer time to make payments at acceptance points like convenience stores, ATMs or kiosks. While this window period may seem insignificant at first glance, it’s more than enough time for attackers to jump in and compromise the whole transaction flow. And they do this by simulating payments instead of making actual payments.

That’s why we need to verify the identities of the third parties involved. We adopt the industry’s best practices and comply with the latest accreditations established by the Payment Card Industry (PCI) Security Standards Council to ensure integrity of third party notifications.

On top of these three lines of defence, we also scan for threats and perform application penetration tests and vulnerability tests to identify anomalies from the application environment as well as the application itself.

What security threats keep experts up at night?

I’m especially wary of human errors that could occur even with thorough training. I understand that accidents can happen, but these errors could potentially be grievous and trigger severe breaches in our overall security systems.

Moving forward with application security

The security world is dynamic and volatile, prone to changes at the drop of a hat. As much as we need to be highly adaptable and respond to these changes, this doesn’t mean that there’s nothing we can do to stay grounded.

First and foremost, 2C2P is a global payment gateway. It’s thus our responsibility to cater our security measures to all our merchants in every country we operate in - whether they are in Singapore, Malaysia, Thailand, the Philippines, or anywhere else. In doing so, we’ll be able to craft the best solutions to mitigate security risks for everyone effectively.

Next up, we need to do more to educate our customers. Previously, the respective organisations were in charge of strengthening their security processes. However, it’s also important for us to inform our customers on basic things like common fraudster tricks.

Education has become especially critical given the rise of Web 3.0. While the promise of decentralising assets does seem attractive at first glance, the customer now bears an even greater responsibility to manage them without a centralised authority to protect them.

About 2C2P

2C2P is a full-suite payments platform helping businesses securely accept payments across online, mobile and offline channels, as well as providing issuing, payout, remittance and digital goods services.

With over 250 payment options ranging from credit cards to mobile wallets and an alternative payments network of more than 400,000 physical locations, 2C2P is the preferred payments platform of tech giants, airlines, online marketplaces, retailers and other global enterprises.

Want to empower your business further with digital payments? Our friendly team is ready to help - talk to us today.