When Is Processing Payments in The Cloud More Secure?
Back when I started my career, “Jessie’s Girl” by Australian rocker Rick Springfield topped the charts, the federal funds rate was 20 percent and most organizations were reliant upon one or more mainframe computers that were hosted in an internal “computer room.”
Payment systems migrate to the cloud
Today, the four largest banks in the U.S. process their payments in the cloud (i.e. remote data centers that are accessed via a private network and/or the Internet). These institutions have opted to use “private clouds” owned by cloud partners where client data is kept strictly partitioned, versus a “public cloud,” which offers users a shared infrastructure.
And these large banks are not alone.
According to a recent survey, 44 percent fewer companies use in-house software for online payments compared to just two years ago and instead rely on a vendor’s payment software.
Source: Wiese Research survey and Ovum’s Global Payments Insights
In addition, 54 percent of organizations said that they plan to move more of their payment infrastructure to the cloud in the near future. For example, Bank of America recently announced plans to move 80 percent of its technology workloads to the cloud in the next few years. Why are many industry leaders moving their payment infrastructures to the cloud? The key drivers are lowering costs, improving speed to market and catching up with customer demand for new products and services.
Security in the cloud vs in-house data centers
The rapid growth of cloud computing has also been driven by the rock-solid level of security available in the cloud. In fact, according to a 2017 report on cloud security, “on-premise IT infrastructure is more likely to be attacked, more often, and through a broader spectrum of attack vectors than cloud-based infrastructures, countering security concerns about the cloud.”
How does the security of cloud service providers compare with that of in-house data centers? It depends on the type of security being used. A cloud vendor that employs the following 10 cybersecurity practices are well positioned to deliver better security than in-house data centers.
1. The Network Effect: The network effect states that the value of a network increases with the number of users. In the case of cloud security, providers are better able to leverage their security investment and visibility across thousands of clients, compared to an organization processing in-house.
- Identify fraudulent transactions and breaches more quickly
- Combine security investment of thousands of clients to build and run a highly secure software platform used by all
- Participate in InfraGard, a public-private partnership between the FBI and U.S. businesses, dedicated to sharing information and intelligence to protect critical infrastructure
- Coordinate with Financial Services – Information Sharing and Analysis Center, the global financial industry's resource for cyber and physical threat intelligence analysis and sharing
2. Experience: Cloud software providers can offer a depth of knowledge and experience unmatched by individual institutions.
- They have more years of experience in developing and operating bill payment software compared with individual organizations
- The same company that built the software runs the software
- Software developers and data center operators collaborate
3. Certifications: Look for a provider that is certified to offer the best practices in security.
4. People: The provider’s leadership team and employees should be focused on security.
- A Board of Directors with a risk committee
- Chief Risk Officer operating autonomously from all other groups
- Annual security training for all employees
5. Policies: Make sure your provider’s security infrastructure is designed around standards.
Implements ISO 27001/27002 and National Institute of Standards and Technology (NIST) Cybersecurity frameworks
- Standardizes information access, retention and destruction
- Utilizes an inventory system for hardware and software
- Performs vulnerability scanning and penetration testing
- Has a pandemic plan for business continuity and disaster recovery plans
6. Software development: The provider uses bullet-proof software and best industry practices.
- Upgrades software to latest version regularly (this was one of the problems that led to a recent high-profile breach)
- Build systems based on the Payment Card Industry Data Security Standard (PCI)
- Scans systems before going live
7. Detection: The provider depends on automated detection and attack response for protection.
- Can identify distributed denial of service (DDoS) attacks, worms, Trojans and port scans
- Finds abnormal activity through modeling
- Relies on Automated attack response
8. Access: The provider carefully controls cloud access.
- Keeps client data separate with private cloud using a partitioned architecture
- Owns and operates its own data centers
- Employs biometric data center access
- Uses role-based access
- Has 24x7 closed-circuit television monitoring
- Uses a secure network for client access
9. Defense-in-depth with a layered security model:The provider erects multiple, overlapping layers of defense.
10. Data: The provider secures critical data.
- Tokenizes sensitive information (i.e. use a “proxy”)
- Encrypts data
- Uses Hardened computers
- Isolates internally with virtual local area networks
Cloud payments simplify compliance
In addition to offering robust security, cloud-based payment systems make compliance easier to achieve for several reasons. First, companies are no longer storing sensitive customer payment data on-premise, which limits the scope of PCI assessments and audits. Second, the provider is able to make the latest investment in compliance infrastructure and spread the cost across multiple clients, while also utilizing the best client practices.
For example, one company reduced call center PCI compliance costs by 80 percent when customers entered their credit card numbers into a cloud-based system rather than speaking card numbers out loud. In another example, customers using a cloud-based bill payment solution were able to realize 19 percent savings on security and compliance costs.
In addition, an experienced cloud payment provider keeps up to date with ongoing changes to regulations – some of those shown below.
Cloud payments improve performance
You can develop and bring new innovative features to market more quickly with the cloud than building it yourself in-house. Organizations often see an improvement in their performance as a result. For example, one of the world’s largest companies improved their collections performance by a factor of five when they made the move from an internal collections website to a cloud system.
With improved performance, lower compliance costs and robust security, I expect that more organizations will follow Bank of America’s example of shifting 80 percent of their technology into the cloud.
How are your peers planning to use the cloud to deliver the payments experiences of the future? Download our free report that explores strategic plans and IT investment trends in payments: www.aciworldwide.com/billpayinsights
Related Blog Posts
German Gamers Present Conversion Challenges for Game Publishers
Gamescom, one of the largest gaming shows in the world, is set to kick off in Germany in just a few days’ time – the perfect time to delve into some of the current trends in gaming that are revealed in our latest benchmark survey with Newzoo – and a chance to look at what sets German gamers apart.
Positive Profiling Makes Everyone a Winner in Gaming
Online gaming is one of the fastest-growing segments within the broader entertainment industry. With 2 billion active gamers worldwide and 200 million people playing games on social networking sites at least once a day, it is no surprise that the market is now worth well over USD $100 billion per year.
Top Tips to Battle Payments Fraud in Gaming—From a Millennial Gamer
The gaming industry, from a consumer point of view, has evolved dramatically over the last 5-10 years. The buying process has rapidly changed from a one-time, final payment – often at a physical store for a physical product – to a series of never ending bundles, boosters, skins, downloadable content and in-game currency sales!
Turning Impetus into Action: Real-Time Payments in ASEAN
Financial institutions across ASEAN member states are increasing investment in payments, with 64% planning to increase investment over the next 18-24 months, compared to 56% in the broader Asia region and 53% globally. With investment in ASEAN outpacing the global average, the “2018 ASEAN Payments Insight Survey” shines a light on the key drivers for increased payments investment and the expected benefits.
Instant and Digital: The Next Frontier of Bill Payment
We’d all like an inexpensive, simple and consolidated way to pay our bills, and we’re seeing a growing list of upstarts entering the market to meet this need. Customer interaction during the billing process is a critical touchpoint to maintain relationships and potentially enhance the customer experience, but third-party solutions that offer enhanced ease of use could get in the way. Companies need to respond with an engaging bill pay offering, which includes real-time payments.
Working Up An Appetite for APIs in Australia
This week ACI hosted the latest installment of our #paymentsforbreakfast forums in Australia, with the early birds catching the open banking worm in both Sydney and Melbourne.
Given the similarities between the Australian and UK open banking movements, we enticed ACI’s UK-based Lu Zurawski (Solutions Practice Lead - Retail Banking) to Australia to share his learnings from being heavily involved in the UK Open Banking working group.
ACI Watford runs first Coding for Girls Camp in Europe
The ACI Watford Office recently teamed up with local West Herts College to run its first Coding for Girls Camp in the UK. The free, one-day event was designed to introduce girls from year (grade) 7-9 to the world of technology, offering a crash course in computer programming; including HTML, CSS and Java. I spoke to Melissa McKendry, VP of retail banking implementation services and Watford Site Leader at ACI, to find out more.
Online Retailers Are Fighting Account Takeover Fraud Fires
Online merchants and retailers are facing an ever-growing threat from account takeover fraud, which is accelerating within the card-not-present space. Account takeover occurs when user credentials for a retailer’s website are compromised, leading to exploitation of a consumer and potentially offering a large return on investment for the fraudster. Per research from ACI Worldwide and Javelin Strategy, this type of sophisticated attack accounted for a staggering USD $5 Billion in fraud losses in 2017 alone. The card-not-present environment, due to anonymity, allows a fraudster to hide themselves in the act.
Modernizing Cross-Border Transfers with SWIFT gpi
The customer experience for domestic payments – retail and corporate – has recently undergone a complete transformation. There’s still plenty more that could be achieved, but the advent of real-time payments in combination with open APIs has seen the launch of Request for Payment services and direct eCommerce instant payments in the UK and Europe. And it’s not just the PSD2 push in Europe that’s driving change – in the U.S., Zelle is moving beyond standalone P2P payments to become an integrated part of the retail banking app experience, as well as being included in new kinds of corporate disbursements.
Payments in Gaming: The Female Gamer Powers-Up
The global games market is booming, with revenues set to reach USD $137.9 billion by 2021. But along with the growth, gaming is also transforming and diversifying; in genre, gaming devices, platforms, economics and demographics. Notably, female gamers are ‘powering up’ – representing 40% of paying gamers across all platforms – and there are implications for how gaming companies deliver their products and the role of payments in the overall customer experience.