Inside Kiwi Fintech Laybuy’s PCI DSS Journey

Oleg Zavivaev, IT Operations and Security Manager for fintech solution Laybuy, shares thoughts on the most pressing cybersecurity challenges facing the fintech business, how to tackle third party risks, and how executives and organisations can partner up for success

With the rapidly advancing sophistication of cyber-attacks, companies are increasingly exposed, and reports in the public domain of breaches are growing.

Nowadays, attacks are not just a simple automated bot hoping to take advantage of weak security. Instead, they are well-prepared and executed, requiring a greater level of forethought and constant attention to stay ahead of.

Oleg Zavivaev is the IT Operations and Security Manager for Laybuy, a fast-growing Buy-Now-Pay-Later provider with a market leading position in New Zealand and the United Kingdom, and a growing presence in Australia.

Having begun his career in internal IT, security has always played a big part in Zavivaev’s job, and now it is a focus due to the nature of the Fintech segment. Given this, one of Zavivaev‘s main priorities is raising security awareness within the team at Laybuy.
“I have been afforded opportunities to advance my own knowledge and dive more deeply into cyber security as a primary focus for my career,” Zavivaev says.

Tackling third-party risks in fintech

When asked to share the most pressing issues he’s facing in his industry right now, Zavivaev stresses the speed of constant advancement is what keeps him up at night.

“Staying ahead of those that seek to cause harm in ever more creative ways. Attacks on demand became a business on their own,” he says.

Keeping up with third-party threats and minimising possible damage is also a big challenge for Zavivaev.

“As we are heavily dependent on SaaS and PaaS it is very important to understand risks and threats each of the parties can introduce,” he says.

“Careful risk assessment, third parties onboarding review processes and choosing partners that can provide security compliance evidence can minimise those risks. Part of the challenge is to find and recruit employees with a background in security, compliance, audit and risk.”

Leaders and organisations collaborating and striving for stronger cybersecurity

The end of 2021 and beginning of 2022 was a very busy time for Zavivaev, and ultimately a successful period for him and his company.

In that period, Laybuy successfully secured PCI DSS Level 1 compliance certification, a major milestone for both the company and for Zavivaev himself.

“This was the first time I had been responsible for leading a team and a company through the PCI DSS certification process,” he says.

“I learned a lot, both about PCI DSS but also about how to lead cross-functional projects, how to bring stakeholders on the journey, and how to ensure that security always has a seat at the table.

“Additionally, during this time, I secured my CISM certification and am now working towards CISSP.”

When asked how he encourages his organisation to be more collaborative in his projects, Zavivaev shared that early in the PCI DSS project, he noted that for it to successfully gain traction within the company, he would need to ensure that security was understood across all stakeholders and across a cross-functional team.

“To solve for this, I launched a monthly Information Security Group committee meeting, in which I provided a report of our security state to the stakeholders and got committee support from our board and executives,” he says.

“I have found that by bringing everyone on the journey and by being transparent around the challenges and goals, I have been increasingly more successful at gaining buy-in on security projects.

“Identifying cyber risks correctly and making them a part of business strategy is an important part of success for both growing and established businesses in order to keep partners and customers’ data safe, ensure high levels of trust for the company, and ultimately to protect the brand from any critical breaches.”

Zavivaev concluded that stressing the identification and assessment of risks as part of day-to-day security management helps to prioritise security activities and identify a current risk surface area.