The risks to businesses in Papua New Guinea from cyber crime continue to rise as more business activity is conducted online. Business Advantage PNG gets some timely tips from one of KPMG’s top cyber experts on what you can do to protect your business, and also looks at how global payments giant Visa is working to protect online transactions.

Anthony Watson, Country Manager for Visa, speaking at the 2025 Innovation PNG conference. Credit: BAI.

While the “seismic changes” taking place in global payments present an opportunity for Papua New Guinean businesses, they also greatly increase the risk of fraud, according to Visa’s country manager for the Pacific Islands.

“We’re witnessing a shift away from the traditional four-party model, as we refer to it in payments: issuers, acquirers, merchants and cardholders,” Anthony Watson told the recent Innovation PNG Conference in Port Moresby.

“Over the next five years, e-commerce will be as large as what you’re seeing in face-to-face transactions now, if not bigger.”

“We’ve now got hundreds, if not thousands, of new businesses entering into the payments ecosystem and placing themselves across the transactions value chain,” he explained, pointing to features such as loyalty programs, mobile wallets, crypto payments and buy-now-pay-later schemes.

While these technologies provide opportunities for business, they “are available to fraudsters as well, and they’re seeking opportunities to penetrate into areas of a transaction flow,” Watson added.

“We’re seeing these threat actors continually probing networks for complex weaknesses, and they will exploit the vulnerabilities that are out there.”

Visa’s pathway to safer commerce

The Asia-Pacific has been a target for fraudsters, with e-commerce merchants reporting losses of US$36 out of every US$1000 they make to fraud, according to Watson.

He explained that Visa is focusing on four technologies aimed at providing a secure shopping experience well into the future.

The first is tokenisation, a process that replaces sensitive information with a unique, non-sensitive equivalent called a token.

“Tokens remain the bedrock of commerce in all countries we operate around the world. The Asia-Pacific has actually done quite well on tokenisation, but we’ve got a lot more work we need to do in Papua New Guinea,” he said.

Next is a passkey, which uses a biometric (such as a fingerprint or facial recognition) stored in a device such as phone or laptop to authenticate a user.

“It drives a seamless shopping experience for consumers, enabling various parties within the value chain to verify the identity of the party holding the device at that point in time,” Watson said.

Third is click-to-pay, which creates a unified checkout experience, reducing friction for online transactions.

“It’s still nascent in Papua New Guinea, but I can see it now in our trends – over the next five years e-commerce will be as large as what you’re seeing in face-to-face transactions now, if not bigger,” Watson predicted.

The final piece is a “flexible credential,” making it easier for consumers to access their different payment methods, such as bank accounts, mobile money services, credit cards, or loyalty accounts.

“With flex, we see a pathway of being able to allow a single digital credential on the customer’s phone to access the range of different funding sources.”

How businesses can protect themselves

Matt Dri, Partner, Cyber Response and Forensic Technology at KPMG, also spoke at Innovation PNG 2025, where he provided a checklist of three top measures that organisations in PNG should be taking to protect themselves from hackers.

One is to look at how people are accessing your company’s systems remotely, and to shut off any virtual private networks (VPNs) providing remote access. Remote workers should be  moved to cloud-based applications such as Microsoft’s Office 365, which have in-built security measures.

“That might impact a legacy application, but in my experience working in this region, those systems that are used to enable that remote access aren’t being supported the way you would expect them to. They’re not being patched appropriately, they’re not being configured appropriately, and it’s leading to breaches,” Dri said.

Another is to secure end points such as computers, servers and network devices to prevent adversaries attacking inside the network.

“Things like antivirus, anti-malware, endpoint detection and response tooling, keeping all your servers and workstation up to date, patching – these are all really important controls that make it more difficult for an adversary to come in and control your systems,” he explained.

Lastly, Dri urged organisations to accept their shared responsibility for using cloud-based services.

“Cloud providers don’t do everything for you,” he said, explaining that the most-important security measure an organisation can take when using the cloud is to deploy strong, multi-factor authentication.

Dri warned that factors such as receiving an SMS, phone call or push notification are no longer considered strong enough to protect against phishing, the type of cyberattack where malicious actors attempt to trick individuals into revealing sensitive information.

Instead, he said, organisations need to be using phishing-resistant multi-factor authentication.

“FIDO2-compliant passkeys, facial recognition: this is the tech that will secure you from phishing,” he said.