Hosted services and cloud technology offers many advantages to the payments industry butAlison Ebbage asks can huge security and compliance issues be overcome?
Go deeper with GlobalData
Access deeper industry intelligence
Experience unmatched clarity with a single platform that combines unique data, AI, and human expertise.
Finding innovative ways to leverage the advantages of hosted services across the payments industry is tricky. Although hosted services can offer many advantages, the idea of holding sensitive data in a public cloud is unacceptable in this most regulated and security conscious of industries.
But hosted services do offer the payments industry many obvious advantages. The whole idea behind cloud computing is that capacity can be expanded almost instantly. For the payments industry with its many fluctuations in traffic volume this has a very obvious attraction.
Hosted services also mean that instead of having hardware and a datacentre installed and maintained internally, that the front end application or device is supported, maintained and upgraded remotely by the service provider. This feeds well into the broader business concept of concentrating on core business activity and outsourcing the rest to specialist providers.
But the disadvantage of a cloud-type offering, especially in such a security conscious and regulated space, is that it rests very much on a one size fits all utility model in order to offer economies of scale and cost savings. On a conceptual level it cannot respond to company- or industry-specific demands. And for the payments industry, putting payments data and processes into a public cloud throws up some very real security and privacy issues that need to be overcome.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataThe idea of developing some sort of security and compliance arrangement to ring fence sensitive data is technically feasible, but it suggests some sort of private or community cloud with a requirement for bespoke servicing and robust service level agreements (SLAs). This is at odds with the notion of providing a commoditised hosted architecture.
However, all is not lost and it is in the retail space with large volumes of similar transactions where the cloud is making most headway as a front-end application.
Front end
Jerry Norton, chief client officer at Logica, a cloud service provider, comments: The cloud is all about commoditised utility services so it works where you have something that is fairly standard and where the security and other processes around that can also be standardised, such as is the case with high volumes of retail traffic.
In this model the cloud provides a hosted front-end application to sit on an end device such as an ATM, a point of sale terminal (PoS) in a shop, mobile device or an e-commerce site. The customer makes the payment over the front-end application which is then whisked into the existing payments infrastructure to link with the other networks and processes within that particular payment chain. It eventually makes its way into the banking system where it is processed cleared and settled. The hosted service provider also provides a platform (usually provided by a third party such as Oracle) that sits underneath the front end to make sure that security and compliance issues are dealt with.
In this model the platform sitting underneath the hosted application can provide some basic and common security measures which are geared up to meet the high volume but fairly standard transactions made by consumers, says Norton.
One of the biggest providers of this sort of hosted solution is Amazon Merchant Services. It replaces in-house systems with its own front-end application that sits on one of its own server farms. From there it links in with other payments systems and processes.
But Mateen Greenway, fellow at HP Enterprise Services, the global business and technology service division at Hewlett Packard, warns that new payments channels like Paypal means that consumers are effectively creating their own payments networks and channels and relying less and less on banks. Banks no longer own the payment- rather the network whose applications and platforms are hosted by the cloud provider does. This effectively consigns the banks to being payments processers rather than providers of banking products and services to loyal customers.
Norton concurs: This is an issue for banks because use of the cloud by other people in the payments process effectively moves the banks further away from the end customer. The payment is now made via PayPal or Visa or BACs and banks own brands are no longer really relevant they have become relegated to back office processors.
Banks
But on the flip side, banks themselves can leverage the cloud to forge more meaningful and enduring customer relationships. Greenway comments: The cloud can really help to facilitate social engagement. As banks seek to strengthen their relationships with customer, cloud technology is well-placed to help them gain contextual information and have more meaningful interactions.
Its not just retail banks that are using the cloud in this way; the growing mobile banking and shopping sector is one of the better fits for this sort of hosted service framework. Indeed newer brand banks and peer-to-peer payment networks have been the ideal partner for hosted solutions. They are uncumbered by tangled legacy systems and also want their IT to link in with other systems, such as loyalty cards or other customer relationship management related areas. The emerging mobile payments industry is also a good match.
The essential selling point in this front-end context is that the cloud can process data almost instantly. For instance a retailer could tie in a transaction with other information it holds on a particular customer to provide more targeted discounts via its loyalty card scheme all in real time. Being able to harness the data so quickly and tie it in with other contextual information makes for better customer relationship management and theoretically a sticker or more enduring relationship with customers.
Middle space
But it is not just as a front-end application where the cloud can make a difference. It can also be leveraged in the middle space to act as a facilitator between the front end and the bank at the back. In this sense the cloud is not a new system, more a facilitator to make the existing one better. By adding the hosted service as an additional link, payments front ends get their transactions bundled and then pushed down the line to the right place to be processed in a more efficient manner.
Steve Brunswick, strategy manager at Thales, a systems provider, explains: The main payments infrastructure is currently provided by physical data centres that are run by the card issuers. The journey between the point of sale or the cash point is made by a series of switches in between the actual transaction, via the card scheme to the card issuer. Effectively you have multiple channels and systems and this has led to spaghettiware back office systems as banks try to provide a connection to each and every channel and country.
He thinks that the clouds potential is more in this middle office space, as an automated clearing house similar to Bacs (Bankers’ Automated Clearing Services) or CHAPs (Clearing House Automated Payment System); a processor and distributor of payments in a more timely and efficient fashion as long as it remains compliant.
Security
But with any transaction security is vital and this is perhaps one of the biggest sticking points for would be users of the cloud. Issues like visibility, transparency, control of user id, data integrity and loss are not isolated to payments but as the most regulated industry in the world, it is not hard to see why the having data and processes in a public space is less than ideal.
And although web banking means information is already sent over a public highway, as are chip and pin transactions, losing control over those transactions by having them somewhere in the cloud is not acceptable, even if that somewhere is protected, its data encrypted and its encryption keys also protected.
Brunswick comments: It is unlikely that cloud providers will be falling over themselves to have enhanced SLAs that guarantee both security and speed. The cloud is essentially an elastic utility that benefits the bottom line but there are highly opposing forces of cost benefits versus security and service levels. On this level its use actually creates a greater sense of conflict between the security and the cost of service provision.
But one provider of security services is cloud-based and compliant to PCI DSS Level One. Mako Networks targets smaller (less than 200 point of sale) merchants. Its not a payments network and does not carry data rather it protects processes via monitoring and setting parameters of permitted activity. The system reacts to anything abnormal in real time by placing hardware onto the client site and controlling and maintaining it from the cloud. We essentially monitor what is going over the modem placed within the merchant and ring fence the various points of sale as well as the perimeter, says Bill Farmer, CEO, Mako Networks.
Offering certainty via compliance may prove to be a winning formula for Mako. It is essentially guaranteeing ongoing security measures to the latest levels of compliance and thus removing this specialist function from smaller merchants.
But cracking the issue of where the actual data is held, rather than monitoring its movement is something else entirely and even if the security issue has been overplayed, privacy is a really hard nut to crack according to Norton.
One of the challenges for the cloud is to be able to say where data is held to satisfy the regulator. There also needs to be a demonstrable understanding of operational risk, data control and protection of the encryption keys. This is not the focus of cloud providers, he says.
Given then that the payments industry cannot compromise on security and privacy then perhaps the way forward is some sort of compromise via a semi-private or community cloud in which the security aspects common to a group of users are taken into account. Its still a utility service, but done by combining the common demands of a community rather than trying to do it on a bespoke basis.
Greenway comments: You cannot transfer responsibility into the cloud, just the risk. For this sometimes a private or hybrid cloud is needed to best leverage both needs. You would take a cloud-like design and front end it with a cloud infrastructure but have a secure platform underneath it. That way you can still have it all.
One such offering in the corporate space is Fundtech. It services the transaction banking industry with functions such as cash and liquidity management, payments over various networks such as Swift, supply chain servicing and liquidity management. Effectively this means connecting the front end of banks like HSBC, Citibank, Lloyds etc with the back-end payments systems and making sure that each part in the chain can interface via Fundtechs hub. Crucially it has a platform provided by Oracle underneath it to deal with security and compliance and the like.
George Ravich, chief marketing officer at Fundtech explains: We know that the banks care where their data is stored and we can offer a hosted service with the guarantee over where data is held we see data location as just another characteristic of the industry in which we operate; its a constraint within our specialist field.
But Darshan Chandarana senior director, UK financial services and client services at Oracle thinks that although using a private or community cloud is already a well-accepted concept, that ultimately the security issue in the payments industry is simple too big a hurdle to jump.
Some payments are already using private processing networks. The concept is already there its just that the delivery has yet to be actually made over the cloud because the issue around security, ringfencing, encryption and key protection have yet to gain widespread acceptability. Those jobs will always need to be done by somewhere and although in some industries them being done in a hosted context might be acceptable, in the payments industry security will always be the most enduring issue, he says.
