UK Cybersecurity Weekly News Roundup - 23 March 2025

Welcome to this week's edition of our cybersecurity news roundup, bringing you the latest developments and insights from the UK and beyond.

NHS Scotland Confirms Cyberattack Disruption

On 20 March 2025, NHS Scotland reported a major cyber incident that caused network outages across multiple health boards. The cyberattack disrupted clinical systems and led to delayed patient care, with staff reverting to paper-based processes. The incident has been linked to a suspected ransomware group, although official attribution is still pending. Investigations are ongoing with support from the National Cyber Security Centre (NCSC).

Further coverage from The Register confirmed that some systems were taken offline to prevent further spread, while emergency care remained operational. The affected regions included NHS Dumfries and Galloway, which issued a statement urging patients to only attend if absolutely necessary. (Read more on The Register)

NCSC Weekly Threat Report – 22 March 2025

The NCSC's latest threat report highlights ongoing exploitation of known vulnerabilities in Progress Telerik UI by state-aligned threat actors. The report urges UK organisations to patch vulnerable systems immediately, as attackers continue to target unpatched web servers.

Additionally, the NCSC notes an increase in malicious QR code campaigns—so-called "quishing"—where attackers embed phishing URLs into QR codes used in emails, posters, or even receipts. Organisations are advised to educate staff and implement QR code scanning policies.

Cyber Threats on the Rise as UK Eyes General Election

As the UK gears up for a general election later this year, the NCSC has raised concerns over potential interference campaigns and disinformation efforts by hostile states. Security services are reportedly on high alert, coordinating with political parties to bolster cyber resilience. While no major incidents have been reported yet, the threat landscape is being closely monitored.

Quick Bytes

• New phishing campaign mimics HMRC emails demanding urgent tax repayment. Be vigilant and double-check all official correspondence.
• UK universities warned of increased targeting by espionage-motivated groups, particularly in the fields of AI and quantum computing.
• ICO fines a London-based telemarketing firm £130,000 for unlawful data use and non-compliance with GDPR.

That’s all for this week! Stay tuned for more updates, and follow best practices to keep your systems secure.

➡️ Previous Post: UK Cybersecurity Weekly News Roundup - 17 March 2025

UK Cybersecurity Weekly News Roundup - 16 March 2025

Welcome to this week's edition of our cybersecurity news roundup, bringing you the latest developments and insights from the UK and beyond.

UK Government's Stance on Encryption Raises Global Concerns

The UK government has ordered Apple to provide backdoor access to iCloud users' encrypted backups under the Investigatory Powers Act of 2016. This secret order applies not just to UK users but potentially to Apple users worldwide. In response, Apple has removed its Advanced Data Protection feature in the UK, expressing disappointment. This move has significant implications, raising concerns about global user privacy and security. Experts argue that creating backdoors compromises overall security, potentially allowing malicious entities to gain access. Apple's compliance or resistance will set a precedent for other governments seeking similar access. Read more

Sellafield Nuclear Site Improves Physical Security Amid Cybersecurity Concerns

Sellafield, the world's largest plutonium store, has been taken out of special measures for physical security by the UK's nuclear industry regulator, the Office for Nuclear Regulation (ONR). This decision follows significant improvements in guarding arrangements, allowing routine inspections instead of enhanced regulatory oversight. However, concerns regarding its cybersecurity remain. Last year, Sellafield was fined almost £400,000 for cybersecurity failings, allegedly involving hacking groups linked to Russia and China. While there was no conclusive evidence of a successful cyber-attack, cybersecurity remains a critical concern. Read more

UK Businesses Face Significant Financial Impact from Cyberattacks

In the past five years, cyberattacks have cost British businesses approximately £44 billion ($55.08 billion) in lost revenue, with 52% of private sector companies experiencing at least one attack during that period, according to insurance broker Howden. On average, these attacks cost companies 1.9% of their annual revenue. Larger companies, with over £100 million in annual revenue, are more likely to be targeted. Despite the significant risk, only 61% of businesses employ anti-virus software, and only 55% use network firewalls, due to cost and lack of internal IT resources. Read more

Global Sanctions Target Russian Cybercrime Network

The United States, United Kingdom, and Australia have jointly sanctioned Zservers, a Russian bulletproof web-hosting service provider, and two Russian operators linked to it for supporting the LockBit ransomware syndicate. The U.S. Treasury Department's Office of Foreign Assets Control, along with its U.K. and Australian counterparts, targeted Zservers for facilitating LockBit attacks by providing specialized servers resistant to law enforcement actions. Lock

UK Cybersecurity Weekly News Roundup – 9 March 2025

Welcome to this week's edition of our cybersecurity news roundup, bringing you the latest developments and insights from the UK and beyond.

Microsoft Engineer's Transition to Cybersecurity

Ankit Masrani, a 36-year-old software engineer, successfully transitioned into a cybersecurity role at Microsoft. With a background in IT and a Master's degree in computer science, Masrani secured an internship and later a full-time position at AWS, focusing on data and network security. He now serves as a principal software engineer on Microsoft's Security Platform team, emphasizing the importance of skills in big data technologies, machine learning, cloud services, and comprehensive security knowledge for such career pivots. Read more

StubHub Breach: Taylor Swift Tickets Stolen

Cybercriminals exploited a backdoor in StubHub's system, stealing nearly 1,000 tickets, primarily for Taylor Swift's Eras Tour, resulting in over $600,000 in profits. The breach highlights vulnerabilities in ticketing platforms and the need for robust cybersecurity measures to protect consumer interests. Learn more

UK's Cyber Security and Resilience Bill Introduced

The UK government has introduced the Cyber Security and Resilience Bill, aiming to update existing regulations and strengthen the nation's cyber defenses. The legislation seeks to expand regulatory oversight, enforce stringent cybersecurity measures across various sectors, and introduce mandatory compliance with established standards to protect critical infrastructure and the digital economy. Details here

British Library Cyberattack: A Wake-Up Call

In October 2023, the British Library suffered a significant ransomware attack by the Rhysida group, leading to the theft of approximately 600GB of data. The attack disrupted services, delayed payments to authors, and highlighted vulnerabilities in cultural institutions. Recovery efforts are ongoing, emphasizing the need for robust cybersecurity measures in public sector organizations. More information

Global Impact: US Charges Chinese Hackers

The US Department of Justice has charged 12 Chinese nationals, including hackers and government officials, for their roles in extensive cybercrime campaigns targeting dissidents, news organizations, U.S. agencies, and universities. This action underscores the growing concerns over state-sponsored cyber espionage and the need for international cooperation in cybersecurity. Read the full story

Protecting Your Devices: Recent TV Box Malware Attack

TV owners are urged to perform essential security checks following a cyber attack affecting 1.6 million Android TV devices. Hackers infiltrated home networks through TVs, stealing data and using devices to mine cryptocurrencies, leading to increased energy bills. Users should update devices, uninstall unused apps, install anti-malware software, and avoid third-party vendors to safeguard against such threats. Learn how to protect your devices

Stay informed and vigilant to protect your digital assets in this evolving cybersecurity landscape.

UK Cybersecurity Weekly News Roundup – 2 March 2025

UK Government's Encryption Demands Lead to Apple's Data Protection Withdrawal

The UK government has mandated that Apple provide access to encrypted iCloud backups under the Investigatory Powers Act of 2016. In response, Apple has withdrawn its "Advanced Data Protection" feature for UK users, citing concerns over user privacy and security. This move has sparked a global debate on the balance between national security and individual privacy rights. Read more

International Sanctions Target Russian Cybercrime Network

The United States, United Kingdom, and Australia have jointly imposed sanctions on Russian web-hosting provider Zservers and two Russian nationals for supporting the ransomware group LockBit. This group has been linked to numerous high-profile cyberattacks, including those on Boeing and the UK's National Health Service, extorting over $120 million since 2019. Learn more

Sellafield Nuclear Site Improves Physical Security Amid Cybersecurity Concerns

The UK's Office for Nuclear Regulation has acknowledged significant improvements in physical security at the Sellafield nuclear site, leading to its removal from special measures. However, ongoing cybersecurity challenges persist, highlighting the need for continued vigilance in protecting critical infrastructure. Details here

Google Expands AI Initiatives in Poland to Enhance Energy and Cybersecurity

Google has signed a memorandum with Poland to develop artificial intelligence applications in the energy and cybersecurity sectors. This initiative aims to bolster Poland's technological infrastructure and reduce reliance on external energy sources, amidst increasing cyber threats. More information

US Department of Homeland Security Overhauls Cybersecurity Personnel

The Department of Homeland Security is set to terminate 12 employees from the Cybersecurity and Infrastructure Security Agency involved in monitoring misinformation. Additionally, all election security activities are temporarily paused to assess implications on free speech, reflecting ongoing debates about the role of federal agencies in regulating information. Read the full story

AI Safety Policies Shift Focus Towards Security

Recent policy changes in the US and UK are reframing AI safety as a security-focused issue, potentially sidelining ethical considerations such as bias and content accuracy. This shift has raised concerns among experts about the comprehensive governance of AI technologies. Explore the implications

Polish Space Agency Suffers Cyberattack

The Polish Space Agency (POLSA) detected unauthorized access to its IT infrastructure, prompting immediate security measures. Investigations are underway to identify the perpetrators, amid ongoing concerns about cyber threats targeting national agencies. Find out more

Australian IVF Clinic Hacked, Exposing Sensitive Patient Data

Genea, an Australian IVF clinic, suffered a ransomware attack by the group Termite, compromising nearly a terabyte of sensitive patient data. The breach has raised significant concerns about data security in healthcare institutions. Read more

US Treasury Department Breached by Chinese Hackers

The US Treasury Department disclosed a significant cybersecurity breach attributed to Chinese state-sponsored actors. The attackers accessed unclassified documents, highlighting vulnerabilities in federal cybersecurity defenses. Learn more

UK's War on Encryption Affects Global User Privacy

The UK's demand for access to encrypted iCloud data under the Investigatory Powers Act has led to Apple's withdrawal of its Advanced Data Protection feature for UK users. This move has significant implications for global user privacy and sets a concerning precedent for government overreach into personal data. Read the a

UK Cybersecurity Weekly News Roundup – 24 February 2025

Welcome to this week's edition of our cybersecurity news roundup, bringing you the latest developments and insights from the UK and beyond.

Home Office Contractor's Data Collection Sparks Privacy Concerns

The Home Office faces scrutiny after revelations that its contractor, Equifax, collected data on British citizens while conducting financial checks on migrants applying for fee waivers. A report mistakenly sent to the Refugee and Migrant Forum of Essex and London (Ramfel) contained information on 260 individuals dating back to 1986, raising significant privacy issues. The Home Office has ceased using Equifax for visa fee waiver processing pending an investigation into the potential data breach. Read more

Apple Withdraws Advanced Data Protection in the UK Amid Government Dispute

Apple has removed its Advanced Data Protection (ADP) feature for UK users following a dispute with the British government. The government demanded access to encrypted material on Apple's iCloud under new evidence-collection powers. Apple, opposing the creation of a "back door" to its encryption service, opted to discontinue ADP in the UK. This decision highlights ongoing tensions between tech companies and governments over privacy and security regulations. Learn more

Sellafield Nuclear Site Improves Physical Security but Cyber Concerns Persist

The UK's Office for Nuclear Regulation (ONR) has removed Sellafield nuclear site from special measures concerning physical security, citing significant improvements. However, concerns over cybersecurity remain. Sellafield has been under scrutiny due to previous safety issues and cybersecurity deficiencies. Collaborative efforts are ongoing to address these challenges as the site continues to manage the nation's nuclear waste. Full story

UK Government Introduces AI Cybersecurity Standards

The UK government has unveiled a new Code of Practice aimed at protecting AI systems from cyber-attacks. This initiative seeks to provide businesses and public services with guidelines to secure AI technologies, thereby safeguarding the digital economy. The voluntary code is expected to form the basis of a global standard for AI security, reinforcing the UK's position as a leader in safe technological innovation. Details here

Cyberattacks Cost UK Businesses Over £40 Billion in Five Years

Recent findings reveal that cyberattacks have cost British businesses approximately £40 billion in lost revenue over the past five years. More than half of private sector companies have experienced at least one attack, with compromised emails and data theft being the most common threats. Despite the increasing risks, many businesses lack adequate cybersecurity measures, often due to high costs and limited IT resources. Read the report

Stay tuned for more updates and insights in our next weekly roundup.

Prevention is Better Than Cure: The Ransomware Evolution

Ransomware tactics have continued to evolve over the years, and remain a prominent threat to both SMBs and larger organisations. Particularly during the peak of COVID-19, research by IBM found that ransomware incidents ‘exploded’ in June 2020, which saw twice as many ransomware attacks as the month prior, taking advantage of remote workers being away from the help of IT teams. The same research found that demands by cyber attackers are also increasing to as much as £31 million, which for businesses of any size, is detrimental for survival.

In recent months, ransomware attacks have not left mainstream media headlines. And with the number and frequency of ransomware attacks increasing, not to mention the innovation in distribution methods, this should be a wake-up call for organisations to strengthen their defences. Jack Garnsey, Product Manager Security Awareness Training and SafeSend, VIPRE explains that by taking a preventative approach, businesses can take the necessary steps to strengthen their cybersecurity posture. This includes a combination of education, processes, hardware and software to detect, combat and recover from such attacks if they were to arise.

Ransomware in the 21st Century
Ransomware is not a new phenomenon, but its use has grown exponentially and has led to the development of the term ‘Ransomware as a Service' (RaaS), which is a subscription-based model that enables affiliates to use already-developed ransomware tools to execute attacks.

As ransomware incidents become more sophisticated and frequent, such as the increase in fileless attacks which exploit tools and features that are already available in the victim’s environment, the level of potential damage to a business is heightened. These types of attacks can be used in combination with social engineering targeting, such as phishing emails, without having to rely on file-based payloads. And unfortunately, ransomware is extremely difficult to prevent – all it takes is one employee clicking on the wrong link in an email or downloading a malicious attachment.

No matter the size of an organisation, the effects of ransomware can be devastating financially, as well as inflicting longer-term damage to business reputation. The Irish Department of Health and Health Service Executive (HSE) was recently attacked by The Conti ransomware group, who reportedly asked the Health Service for $20 million (£14 million) to restore access. This attack caused substantial cancellations to outpatient services, part of a system already stretched to the max due to COVID-19. Some ransomware gangs operate by a flimsy code of "ethics", stating they don't intend to endanger lives, but even if a minority of ransomware organisations are developing a sense of conscience, businesses are not exempt from the damage that can be done from such attacks.

Additionally, in the US, Colonial Pipeline paid the cyber-criminal group DarkSide nearly $5m (£3.6m) in ransom, following a cyber-attack that took its service down for five days, causing supplies to tighten across the US. Unfortunately when under attack, a majority of businesses, such as the major pipeline, often pay the ransom. Luckily for Colonial Pipeline, some of the money was later recovered by the American Department Of Justice's Ransomware and Digital Extortion Task Force. But if they pay once – they will pay multiple times. A successful ransomware attack can be used various times against many organisations, turning an attack into a cash cow for criminal organisations offering Ransomware as a Service. So much so, that there is now an ongoing debate around whether it should be illegal for businesses or an individual to pay a ransom in order to try and deter the attackers, or at the minimum, to at least report it to the necessary regulators.

Contain and Report It
If a ransomware attack were to take place, it is important that the organisation works with local authorities to try to rectify the issue and follow the guidance. Often, many ransomware attacks go unreported – and this is where a lot of criminal power lies.

Prevention is always better than cure, and damage limitation and containment are important right from the outset. As the United States President, Joe Biden, highlighted in his recent letter to business leaders around ransomware: “The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world is that companies that view ransomware as a threat to their core business operations, rather than a simple risk of data theft will react and recover more effectively.”

Most organisations should have a detailed disaster recovery plan in place and if they don’t, they should rectify this immediately. The key to every disaster recovery plan is backups. Once the breach has been contained, businesses can get back up and running quickly and relatively easily, allowing for maximum business continuity.

As soon as the main threat has passed, it is recommended that all organisations conduct a full retrospective audit, ideally without blame or scapegoats, and share their findings and steps taken with the world. Full disclosure is helpful – not only for the customer, client or patient reassurances but also for other organisations to understand how they can prevent an attack of this type from being successful again.

The Support of Digital Tools
When it comes to ransomware, the importance of getting security foundations right must be emphasised. These attacks are not likely to stop or slow any time soon, but their success can be prevented with the right security armoury.

Particularly to mitigate the threat of ransomware, it is crucial to have secure endpoint protection in place which protects the files, application and network layer across a number of devices, and respond to security alerts in real-time. This has never been more important than during the ongoing pandemic, where employees are dispersed and working from home in order to ensure all devices are protected and comply with the same standards.

Additionally, solutions such as email attachment and URL sandboxing are also vital, as these digital tools provide vital protection against malicious emails. They can help prevent dangerous links, attachments or forms of malware from entering the user's inbox by examining and quarantining them. By filtering out this traffic and automatically restricting dangerous content, businesses can maintain greater control over email and the access points to the network.

The Human Layer
The users themselves are a key part of any security strategy. Those who are educated about the types of threats they could be vulnerable to, how to spot them and the steps to take in the event of a suspected breach, are a valuable and critical asset to any organisation.

Employees need to be trained to be vigilant, cautious, suspicious and assume their role as the last line of defence when all else fails. The final decision to click send on an email or a link lies with the human, but this one click could mean the entire organisation falls prey to a ransomware attack. The key is to change the mindset from full reliance on IT, to one where everyone is responsible. In order to strengthen a business’ human layer protection, security awareness training and education must be implemented across the board.

These programmes are designed to support users in understanding the role they play in helping to combat attacks and malware. Using phishing simulations, for example, as part of the wider security strategy, will help to give employees insight into real life situations they may face at any point. The importance of testing your human firewall was also outlined in Joe Biden’s ransomware letter: “Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.”

Conclusion
Cyber security is a multi-faceted, complicated area, and one which must receive investment in each layer, from the technology to the people, to the tools we give to the users. Nevertheless, businesses of all sizes can safeguard their data and themselves from these types of ransomware attacks by investing in their cybersecurity and ensuring their workforces are conscious and informed of the threats they face.

Both detection and prevention play a key role in stopping ransomware, but it shouldn’t be one or the other. The essence of a solid cybersecurity strategy is a layered defence that includes endpoint detection and response, email security, advanced threat protection, web security and a business-grade firewall for the security of your network – at its most basic. But even with the most sophisticated software in place, hackers make it their mission to stay one step ahead of IT defences. That is why regular training, in addition to complementary security tools which reinforce security best practices, can provide a fortified strategy for users to mitigate the threat of a cyberattack.

How Businesses Can Utilise Penetration Testing

Understand your security vulnerabilities

Article by Beau Peters

The basic approaches like phishing simulations are good, but they tend to have limited reach. This is why more agile methods, penetration testing among them, have been getting increasing attention. In essence, this sees experts with a background in ethical hacking utilizing the techniques of cybercriminals to breach a business’ systems. This also receives a certain amount of hesitancy — business owners are often unsure about the idea of letting somebody hack their systems in the name of cybersecurity.

As always, there is more to this issue. So, let’s explore what penetration testing is, why businesses should engage with it and how they can do so to get the most impact.

What are the Benefits?
Penetration testing requires a significant amount of trust. Therefore, it’s important to look at what the payoffs of this approach are as opposed to ostensibly safer techniques.

Some of the key benefits include:

• Ascertaining Vulnerabilities

Penetration testing tends to be the most direct and reliable approach to identifying what parts of a company’s systems are vulnerable to attack. In general, testers will go through each aspect of the network architecture, the website and software code, applications, and hardware to identify where weaknesses lie. This doesn’t just apply to external threats but internal issues, too.

These experts are also approaching their review of a business’ systems with the creative, outside-of-the-box thinking cybercriminals are likely to use. As such, companies benefit from perspectives not usually offered by in-house information technology staff. Once points of vulnerability have been identified, the tester will often provide information about what issues are the highest priority to handle based on the severity of the risk and the consequences. 

• Maintaining Trust

Perhaps above all else, the benefit of penetration testing is the opportunity to maintain and strengthen trust between a business, its customers, and its supply chain. This is vital given the amount of consumer and partner data companies are gathering and storing. Security is particularly vital in cases when companies are undergoing data democratization — where important data is not just accessible to analysts and leadership but to all members of the organization.

This can be an empowering use of data, helping workers to understand how best to use and protect such information. However, alongside practical obstacles like deficient tools and siloed data, there is a need to prevent breaches. Penetration testing identifies where risks are throughout democratization practices, giving businesses the tools to strengthen their approaches. In turn, consumers and suppliers are assured their data is used to its best purpose and kept safe.

Understand the Needs
While penetration testing utilizes curious, creative ethical hackers, businesses shouldn’t be mistaken in thinking this means it’s a simple process. It requires technological experts who usually go through at least five stages of protocols — from planning the right approach for the goals of the test to analyzing the data they’ve received and compiling a detailed report. The testing methodologies, too, can vary depending on the circumstances. As such, to make the most out of the process, businesses need to have a clear idea of what their needs are.

Some of the common tests and the relevant needs they serve include:

• Application Testing

Many brands are producing their own apps to improve customer engagement. However, consistent data security can be difficult to achieve, particularly when working across multiple operating systems. Application penetration testing is used to spot flaws in the current security systems, as well as how they interact with user’s devices and represent vulnerabilities to consumers.

• Physical Testing

Businesses often think cybersecurity attacks will originate remotely. But when a company keeps its servers and equipment on-site, there is potential for criminals to break into the premises and cause a breach. Hacks may even come from staff. Physical penetration testing should, therefore, be sought to understand whether the equipment is vulnerable to the types of tools and methods in-person hackers may use.

• Wireless Testing

Businesses are increasingly utilizing wireless tools for integral parts of operations. This includes capturing sensitive data, through contactless payment machines or sensors on devices in the Internet of Things (IoT) that track and control the supply chain. Wireless penetration testing can be used to understand how easy it is to illicitly collect data or even disrupt operations through the connected ecosystem. They’ll also confirm where stricter measures need to be in place to prevent access.

Finding the Right Expert
Having established what pen testing is and how it can fit in with a business, how can companies find the right people for the job? After all, one of the key concerns companies have in this area is that they are essentially hiring hackers — there’s a lot of social and legal baggage accompanying this activity.

When bringing on a consultant or hiring an in-house tester, the best approach is to look for relevant certification. Some of the most recognized examples here include the Certified Ethical Hacker licenses issued by the International Council of E-Commerce Consultants (EC-Council), and the Certified Penetration Tester course offered by the Information Assurance Certification Review Board (IACRB). Global Information Assurance Certification (GIAC) also provides various specialized qualifications that are considered to be reliable. These courses are designed to provide knowledge not just about the technical skills to positively impact a business, but also the ethical standards to help make sure testers are staying on the right moral and legal track throughout their activities.

Conclusion
Penetration testing is an agile tool offering various benefits for businesses, including maintaining trust and highlighting points of vulnerability. However, it’s important to remember that getting the most out of the process requires clarity on the company’s challenges and goals for testing, alongside sourcing the relevant certified tester to collaborate with.

Payment Security: Understanding the Four Corner Model

Introduction
Online shopping digital payment transactions may seem quite simple, but in reality, just one single transaction sets off multiple, long-chain reactions. The Payment Card Industry comprises debit cards, credit cards, prepaid, e-purse/e-wallet, and POS payment transactions that enable easy payment transactions for consumers. However, the card scheme is a popular payment transaction process which is also a central payment network that uses credit and debit cards to process payments. 

The card scheme comes in two variants namely the Three-Party Scheme and the Four Party Scheme payment model. The Four Corner Model also popularly known as Four-Party Scheme is the model under which most of the payment systems in the world operate. It is used in almost all standard card payment systems around the globe. So, explaining in detail the payment model, we have shared details on how the Four Corner Model works while also explain the role of every entity involved in it

The Payment Network: Four Corner Payment Security Model

The Four Corner Model of Payment Security and How it Works
The card payment network, often called the Four Party Scheme, comprises multiple entities involved in an online transaction. The entities involved would include the Cardholder, the Merchant, the Issuer, and the Acquirer. So, before moving on to understanding how the Four Corner Model works, let us briefly learn about the entities involved and their role in the process.

Cardholder
Cardholders are the consumers who are issued a debit or credit card by a financial institution, such as a bank. The cardholder is a client of the issuing financial institution and may have an account directly linked to the payment card. The cardholder uses the card to make financial transactions for products or services they avail from businesses.

Merchant
Merchants are organisations that accept card payments from cardholders for the products or services they offer to them. These can be merchants offering “Card Present Payment” digital payment options such as card swipe terminals and/or “Card Not Present” digital payment options such as online portals or even using modes such as UPI at the POS itself.) For instance, the e-commerce platforms, restaurants, hotels, and shops equipped with POS payment terminals, etc. can be termed as merchants. For that matter even an ATM can be termed as a Merchant as the primary role of the merchant is to “accept” payment cards.

Issuer/Issuing Bank
The issuer is the Financial Institution that issues the payment card to the cardholder. It is generally the bank that issues a payment card which could be a debit card, credit card, or prepaid card. However, it is important to note the issuing bank on behalf of various payment card brands like Visa, Mastercard, American Express etc provides customers with payment cards. This can even be a private payment brand or network like a domestic scheme. But it is the issuing bank that is responsible for the security of the payment card, the cryptography, and the other relevant security controls.

Acquirer
An acquirer is basically a software and hardware vendor who provide a medium or a tool for accepting payment cards to the Merchants. They are a third-party system and not the bank where the merchant has an account. So, an acquirer provides hardware or a software application to the merchant for accepting card payments and process the transactions. That said, the acquirer is responsible for managing the final return authorization codes from a transaction and ensures the merchant delivers the goods or services based on the payments received. Examples for this can be Razorpay, PayU, Paytm, etc.

How the Four Corner Model Works
The Four Corner Model triggers when a consumer makes a payment online with a payment card for products or services purchased from the merchant. This triggers the event or flow of payment authentication and processing with various entities involved in the process. However, for this to happen a cardholder needs to have a payment card while the POS terminal of the merchant must be able to accept the payment card.

So, when a customer makes a payment with the card, an authorization request transmits from the merchant's POS terminal to the acquirer, and then to the issuer who either returns a positive or negative response which then again goes back to the merchant and then to the cardholder. The authorization process and response can be obererved on the POS terminal screen. It is important to note that the authorization requests and associated responses are transmitted via the card networks like VISA and MasterCard or a vast network of switches, gateways, and servers by card scheme network. On receiving a positive response from the issuing bank, the merchant processes the delivery of the goods or services to the client. At this point, it is also important to note that the Four Corner Model can also be a Three Corner Model if the Acquirer bank is skipped in the process, and the switches and gateways route the authorization flow directly to the Issuer. This makes the payment process less hassle on the payment network and also speeds up the transactions.

While this is just one side of the payment process, now there is the clearing and settlement process that requires the merchant to transmit the transaction details to the acquirer. On receiving the transaction details, the acquirer collects the funds from the cardholders’ account by transmitting the corresponding payment flows to the issuing banks. So finally the merchant bank receives the money only after there is an interbank settlement of funds.

Conclusion
The Four Corner Model is a popular model for online payment transactions. It is a systematic payment transaction process that facilitates end-to-end secure transactions that are ciphered and protected at every stage of the information or payment transmission process. That said, such payment transactions often need HSM and automated key management to prevent hacks or criminal activity during the processing of online payment transactions. It provides the framework for managing numerous keys throughout their life cycles and ensuring secure payment transactions.

Author Bio
Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2,

PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.

Free Coventry University Course to Help Everyone Protect their Online Privacy

Now everyone can learn what privacy means, how your privacy is impacted when using the web and mobile apps, and how to protect your privacy online thanks to a free course from Coventry University.

The UK university has worked closely with experts including Pat Walshe at PrivacyMatters to create an informative online course, offering participants easy access to key information about how to keep their online privacy safe.

Coventry University has a strong reputation for its digital education provision and online offering after it was ranked number 1 in the world for the delivery of Massive Online Open Courses (MOOCs) by MOOCLabs for 2021.

With people's information and digital footprint becoming increasingly sought after, the university hopes the course will build further awareness while helping people stay protected online. Typically, data is collected through cookies and pixels on websites or other means such as browser fingerprinting and trackers embedded in mobile apps. Tracking techniques allow multiple parties to learn about the pages you visit, what you click and view, what devices you use and your location, all of which has data protection and privacy implications.

Citizen Scientists Investigating Cookies and App GDPR compliance (CSI-COP), an EU Horizon2020 funded project led by Coventry University, has facilitated the free informal education course, called ‘Your Right to Privacy Online’. The project has already seen the creation of a privacy-by-design, no-tracking website.

The course is designed to help people gain the knowledge and skills to turn off tracking by disabling cookies on websites and changing app permissions on mobile devices. It features an introductory video, practical tasks and activities, a knowledge test and recommended reading to help participants stay safe online.

Huma Shah, Assistant Professor and Researcher in Artificial Intelligence at Coventry University, said: “We’re delighted to be able to tap into the university’s expertise in digital education to deliver this new, accessible and really useful course. The hope is that we can help as many people as possible to protect their online privacy and personal data while using the internet as well as giving them the tools and knowledge to better understand their rights to online privacy.”

Beyond the MOOC, members of the public can join the CSI-COP team as citizen scientists to explore the extent of tracking across the internet. Citizen science is a great way for volunteers to collaborate with research teams, raising awareness of issues impacting society and increasing trust between the general public and scientists.

Pat Walshe, Director for PrivacyMatters, said: “It’s never been more important to help people understand how their privacy is impacted when using websites and mobile apps and to help them protect their rights under data protection and ePrivacy law. I’m glad to see Coventry University working hard to achieve this with the development of this course which I’m sure will help greatly."

Find out more about this new course and the CSI-COP project.