When Is Processing Payments in The Cloud More Secure?
Back when I started my career, “Jessie’s Girl” by Australian rocker Rick Springfield topped the charts, the federal funds rate was 20 percent and most organizations were reliant upon one or more mainframe computers that were hosted in an internal “computer room.”
Payment systems migrate to the cloud
Today, the four largest banks in the U.S. process their payments in the cloud (i.e. remote data centers that are accessed via a private network and/or the Internet). These institutions have opted to use “private clouds” owned by cloud partners where client data is kept strictly partitioned, versus a “public cloud,” which offers users a shared infrastructure.
And these large banks are not alone.
According to a recent survey, 44 percent fewer companies use in-house software for online payments compared to just two years ago and instead rely on a vendor’s payment software.
Source: Wiese Research survey and Ovum’s Global Payments Insights
In addition, 54 percent of organizations said that they plan to move more of their payment infrastructure to the cloud in the near future. For example, Bank of America recently announced plans to move 80 percent of its technology workloads to the cloud in the next few years. Why are many industry leaders moving their payment infrastructures to the cloud? The key drivers are lowering costs, improving speed to market and catching up with customer demand for new products and services.
Security in the cloud vs in-house data centers
The rapid growth of cloud computing has also been driven by the rock-solid level of security available in the cloud. In fact, according to a 2017 report on cloud security, “on-premise IT infrastructure is more likely to be attacked, more often, and through a broader spectrum of attack vectors than cloud-based infrastructures, countering security concerns about the cloud.”
How does the security of cloud service providers compare with that of in-house data centers? It depends on the type of security being used. A cloud vendor that employs the following 10 cybersecurity practices are well positioned to deliver better security than in-house data centers.
1. The Network Effect: The network effect states that the value of a network increases with the number of users. In the case of cloud security, providers are better able to leverage their security investment and visibility across thousands of clients, compared to an organization processing in-house.
- Identify fraudulent transactions and breaches more quickly
- Combine security investment of thousands of clients to build and run a highly secure software platform used by all
- Participate in InfraGard, a public-private partnership between the FBI and U.S. businesses, dedicated to sharing information and intelligence to protect critical infrastructure
- Coordinate with Financial Services – Information Sharing and Analysis Center, the global financial industry's resource for cyber and physical threat intelligence analysis and sharing
2. Experience: Cloud software providers can offer a depth of knowledge and experience unmatched by individual institutions.
- They have more years of experience in developing and operating bill payment software compared with individual organizations
- The same company that built the software runs the software
- Software developers and data center operators collaborate
3. Certifications: Look for a provider that is certified to offer the best practices in security.
4. People: The provider’s leadership team and employees should be focused on security.
- A Board of Directors with a risk committee
- Chief Risk Officer operating autonomously from all other groups
- Annual security training for all employees
5. Policies: Make sure your provider’s security infrastructure is designed around standards.
Implements ISO 27001/27002 and National Institute of Standards and Technology (NIST) Cybersecurity frameworks
- Standardizes information access, retention and destruction
- Utilizes an inventory system for hardware and software
- Performs vulnerability scanning and penetration testing
- Has a pandemic plan for business continuity and disaster recovery plans
6. Software development: The provider uses bullet-proof software and best industry practices.
- Upgrades software to latest version regularly (this was one of the problems that led to a recent high-profile breach)
- Build systems based on the Payment Card Industry Data Security Standard (PCI)
- Scans systems before going live
7. Detection: The provider depends on automated detection and attack response for protection.
- Can identify distributed denial of service (DDoS) attacks, worms, Trojans and port scans
- Finds abnormal activity through modeling
- Relies on Automated attack response
8. Access: The provider carefully controls cloud access.
- Keeps client data separate with private cloud using a partitioned architecture
- Owns and operates its own data centers
- Employs biometric data center access
- Uses role-based access
- Has 24x7 closed-circuit television monitoring
- Uses a secure network for client access
9. Defense-in-depth with a layered security model:The provider erects multiple, overlapping layers of defense.
10. Data: The provider secures critical data.
- Tokenizes sensitive information (i.e. use a “proxy”)
- Encrypts data
- Uses Hardened computers
- Isolates internally with virtual local area networks
Cloud payments simplify compliance
In addition to offering robust security, cloud-based payment systems make compliance easier to achieve for several reasons. First, companies are no longer storing sensitive customer payment data on-premise, which limits the scope of PCI assessments and audits. Second, the provider is able to make the latest investment in compliance infrastructure and spread the cost across multiple clients, while also utilizing the best client practices.
For example, one company reduced call center PCI compliance costs by 80 percent when customers entered their credit card numbers into a cloud-based system rather than speaking card numbers out loud. In another example, customers using a cloud-based bill payment solution were able to realize 19 percent savings on security and compliance costs.
In addition, an experienced cloud payment provider keeps up to date with ongoing changes to regulations – some of those shown below.
Cloud payments improve performance
You can develop and bring new innovative features to market more quickly with the cloud than building it yourself in-house. Organizations often see an improvement in their performance as a result. For example, one of the world’s largest companies improved their collections performance by a factor of five when they made the move from an internal collections website to a cloud system.
With improved performance, lower compliance costs and robust security, I expect that more organizations will follow Bank of America’s example of shifting 80 percent of their technology into the cloud.
Related Blog Posts
Digital Disbursements: The Future of Insurance Customer Relations
In the insurance industry, where the cost of acquiring a new customer is 7 to 9 times more expensive than retaining an old one, strong customer relationships are vital to success. And, in the wake of the COVID-19 pandemic, adapting to customers’ needs is more critical than ever. To remain competitive, providers must continually evolve to meet the growing expectations of today’s insurance policyholder. Despite advancements in payment technology, more than a third of business-to-consumer disbursement payments are still made by check. This can be an expensive and slow process for insurers, especially in comparison to faster payment methods available. Many consumers now expect far more direct and advanced payment processes.
Billing and Payments in 2020: Ten Best Practices to Drive Digital Adoption and Engagement, Help Customers and Reduce Your Costs
In today’s changing times, both consumers and billers are experiencing more stress in managing bills and payments. Consumers may need to make payment arrangements or adjust how they pay their bills if they no longer can pay in person. Meanwhile, billers are scrambling to adjust to taking calls and receiving payments remotely and securely. ACI Worldwide has focused on meeting changing billing and payment needs since 1975, and we’ve compiled a list of best practices to help billers help their customers manage their bills and payments.
Higher Education Payments: Creating a Better Billing Experience for Students, Families and the Institution
For students and their families alike, paying for college may be one of the most stressful situations they can face. According to The Princeton Review’s 2020 College Hopes & Worries Survey Report, more than half of parents expect their child’s college degree—four years of tuition, room & board, fees, books and other expenses—to cost $100,000. Such a large and important cost deserves a corresponding payment system that matches up.
Gen Z Has Arrived. Is Your Business Ready for the Next Generation’s Billing and Payment Preferences?
Move over Millennials, Gen Z has arrived. They’re entering the workforce… and they too have bills to pay.
The largest of any generation, Gen Z is the first to grow up entirely surrounded by the technology that defines today’s world, from smartphones and social media to ubiquitous high-speed internet. This digital exposure has given Gen Zers – the oldest of whom are 22 – distinct digital preferences and, not unlike Millennials, the need for instant gratification.
A New Age of Billing and Payments: Mobile Wallets, AI Technology and Bill Sharing
Growing up in a digital world, Millennial and Gen Z consumers are always connected – and expect immediate access to information. ACI Speedpay Pulse, a consumer billing and payments trends and behaviors survey of more than 3,000 U.S. adults (responsible for two or more household payments a month), found that 99.3 percent of young consumers (defined as those between the ages of 18 and 34) own a smartphone.
The Balancing Act between Security and Customer Experience for Bill Payments
Data breaches involving payment data have doubled in the past year for many reasons—lack of security innovation, misplaced corporate priorities and weaknesses in developer portals to name a few.
What the Combination of Speedpay and ACI Capabilities Means for Today's Bill Payments
Speedpay joined the ACI Worldwide family in 2019, bringing together two bill payment leaders and creating a union based on industry growth through research and development, the highest quality of customer service and expertise, and ground-breaking innovative technology.
Auto Finance Summit 2019: Taking Aim at Fraud and Keeping Up with Technology
ACI Worldwide bill pay experts were recently at the 19th annual Auto Finance Summit in Las Vegas for three days of networking and education with industry leaders in auto lending and leasing. When we weren’t at our booth demoing the ACI Speedpay solution, we were catching up with our peers and attending informative panels and sessions. Here are our top-three takeaways from the show:
How to Maximize the Value of Partnerships Between Fintechs and FIs
The LATAM Open Banking & Fintech Partnership, organized by Connect Global Group, was held earlier this year in Mexico City, and ACI participated as one of the forum partners driving discussions on how to maximize value from collaborative partnerships between FIs and Fintechs. We explored the invaluable benefits of open API and strategies to differentiate the offerings of FIs and Fintechs, address consumer demands, and best practices for implementation aligned to regulatory requirements.
How to Be a Payments Trailblazer – The Seven Habits of Highly Innovative Organizations
The new Culture of Innovation Index from Ovum and ACI identified segments—from banks to intermediaries to merchants to corporates—at the cutting edge (of innovation) across the payments ecosystem. But what is most notable about those segments that have reached ‘trailblazing’ status is the apparent lack of commonality between them. No one segment, nor one region fosters better innovation. In fact, what’s driving these segments/organizations to be best of breed is their own culture of excellence. The only thing they have in common is their attitude.