By: Ian Hermon, Product Marketing Manager, Thales e-Security
Last month, the British Retail Consortium (BRC) revealed debit card purchases had overtaken cash for the first time, with more than half of retail transactions now being made on our favourite pieces of plastic. Thanks to more and more retailers investing in modern, innovative payment technologies, and as a consequence of our fast-paced consumer lifestyle, we’ve swiftly seen the payment card overtake cash as our favourite wallet filler.
However, increased card usage leads to increased customer data, and with this comes higher levels of vulnerability to a new realm of security risks.
Recognise the threat
When it comes to making purchases, we all know that as consumers we prioritise convenience over anything else. We want to be able to find the item we want instantly, choose our delivery options even quicker, and finalise our payment in a matter of seconds. This means it’s up to the major payment brands, often as part of their PCI and EMVCo activities, to focus on making the payment process secure, both for online and physical transactions.
Our recent Data Threat Report revealed that two in five retailers around the world have been the victim of a data breach in the last year and with card usage on the rise, gone are the days where this won’t impact a customer. Instead, any attack on the data storage systems of a retailer is a direct threat to the sensitive payment information of customers. Keen to get their hands on this data, hackers and cybercriminals have become more widespread and sophisticated, meaning the data security policies of all retailers should also follow suit.
Protect your payments
Recognising the importance of encryption such as tokenisation and data masking in digital payments can help build and maintain customer trust, all the while leaving the customer experience on a positive note.
Recently, Visa announced support for the next generation of 3D-Secure technology, which will be paramount in reducing fraud for online and mobile in-app transactions where significant transaction growth is expected. All major card brands are due to adopt this new security standard as part of their collaboration efforts within the EMVCo organisation.
It’s encouraging to see more widespread use of tokenisation by the industry, where acquirers provide retailers with a token for storage for each transaction rather than the Payment Account Number (PAN) itself.
This helps reduce the scope of PCI DSS compliance for merchants (and saves them money) and also means that any such data stolen is worthless to attackers, thus reducing the impact of any data breach. These tokens are not only useless to hackers, but are easily deleted, if and when required, without impacting a user’s credit or debit card.
Collaborate and innovate
No matter how robust a system is, no one security method is unbreakable, but that shouldn’t stop brands communicating the lengths that they have gone to in ensuring valuable customer data is secure.
In a world where cash is losing its preference, retailers are striving to meet consumer demand for faster, easier and more convenient methods of paying in-store. However, convenience doesn’t always correlate with security. Payment service providers and banks are increasingly under pressure to provide underlying security measures, whilst at the same time ensuring consumers face as few barriers to the purchasing experience as possible
Combining a seamless user experience with a secure backdrop will encourage users to embrace technology and for businesses to improve the payments process. While we know this won’t happen overnight, the latest figures from the British Retail Consortium show a positive shift towards investment in payment technology, something that will no doubt continue to grow in popularity.
It was the first time for MegaLink to participate in the Self-service Banking Asia wherein their CEO, Ms. Jennifer M. Tantan, was invited to give a talk as one of the keynote speaker held last March 22-23, 2017 in the Makati Shangri-la Manila.
Highlights of Ms. Tantan’s speech included the current state of the ATM services and other electronic channels in the Philippines, challenges and what lies ahead for the industry.
A survey conducted by the USAID some time February to March 2016 showed that ATM card is the most trusted card instrument of Filipinos. Out of 82 million debit cards issued, only 25% are active according to a report from the ATM switch network Bancnet. As ATM is one of the oldest channels of electronic banking, it remains to be the go-to means of financial power following cash-on-hand.
Ms. Tantan shared insights on some of the factors that contribute to the inability of the industry to maximise its potential. These are consumer trust and the cost of on-boarding. Safety is both a basic and premium requirement of customers/cardholders. This could attract or lose numbers for the ATM and electronic channels market thus must be managed carefully. KYC as a measure of safety has to be played wisely; too stringent and it might cause inconvenience, too lenient and it loses its essence. Banks and other financial institutions constantly strive to enable secure and affordable products and services for customers. Furthermore, the geographical location and environmental conditions of the Philippines pose a tough endeavor to the ATM and electronic services industry in terms of establishing communications infrastructure and providing access to areas for a broader service delivery.
Ms. Tantan recommended seeking outsource ATM and electronic service providers like MegaLink as a sustainable approach in surpassing these impediments. Instead of each institution putting up its own infrastructure, shared resources and services address common requirements by aggregating and providing solutions joint amongst the users translating to a more affordable pay-per-use model.
By: Jorge Sagastume Vice President at EscrowTech International
Software as a service (SaaS) is more and more becoming interesting to small and medium-sized businesses as a great solution to their IT needs. It’s not only about the lower costs. SaaS concept provides end-users with quicker and easily accessible updates and access to software that they probably wouldn’t use due to high licensing costs. The whole thing is also scalable to end-user’s specific needs.
However, SaaS and cloud data storage are both still young technologies and, as every young technology, they both carry certain security risks.
Since SaaS and cloud computing are gaining such popularity, much has been written about them in the recent years, so it’s understandable if you feel overwhelmed and want to be cautious. There are three major issues to think about with SaaS:
Data security – We live in an unsafe, profit-driven world, where everyone is trying to score big in no time at all. Hacking and industrial espionage aren’t a rare occurrence and do present a serious threat to your business. However using on-premise software doesn’t mean that you are safe from data intrusions.
Software availability – Being able to work at any time you want (or need) is a must for any small or medium business. With SaaS and cloud computing, difficulties due to some outside issues like internet outage are possible.
Business dealings of your cloud provider – Though relying on someone else to keep your IT issues in order, leaving you free to focus on the actual work does sound great, it comes with a small problem – you’re actually relying on someone else. You have no way of controlling how your service provider is doing business-wise, and there is a potential that things end up badly for them.
How to deal with the risks?
Firstly, don’t be frightened by the risks of using SaaS. When reading about the risks, they tend to sound terrifying. However, if you’re being smart about your cloud usage and take the necessary precautions, the chances of your business suffering serious blows are minuscule.
Also, using an on-premise software doesn’t mean that you’ll be perfectly protected and that there aren’t any risks. It may actually be even harder to deal with harmful situations because you’ll be on your own, so it can be argued that SaaS is at least as safe as using on-premise software.
There is also a competition among SaaS providers that keeps them constantly improving their technology and service. The right SaaS provider will go out of their way to accommodate you and to reassure you that they got things covered.
With that in mind, the first step you have to take is to inform yourself about the provider’s security plan. This is also a great way of filtering out the bad SaaS providers and finding the right fit for you. Ask about their disaster plans and recovery methods. Have they done a risk analysis and do they have a developed protocol that they follow in the worst case scenario?
You will need to be able to access your data and continue with your work regardless of issues the provider might have. Software escrow will help you with that. With software escrow, you will be independent and you won’t lose any time waiting for the service problems to be fixed.
When arranging a software escrow solution, make sure you’re well protected. Familiarize yourself with the terms and don’t skip the fine print.
If your service provider goes under, things get a little bit more complicated. You will have to organize the necessary infrastructure in a timely matter. The other option is to find a substitute SaaS option.
A good software escrow agreement will also provide you with a way to make this as fast as possible. Ideally, within the next 24 hours you should be able to continue with your work.
Unfortunately, nothing related to business is perfectly safe. Unpredicted situations happen and we don’t have the power to avoid them. Yet we do have the power to predict them and minimize their influence.
Your strongest ally in the fight against data security risks will be information. If you are informed and aware of what might happen, things won’t catch you off guard. A good SaaS partner is crucial, so rather than trying to figure things out on your own, spend some time finding the right fit for you.
Outsourcing of middle and back office functions to third party providers has been on the rise in Asia and has grown to cover a wide range of activities. This article provides insights into the current trends in the region, the key challenges faced by financial institutions throughout the decision process and our approach to help them optimise their strategies.
Full back office outsourcing and partial middle office outsourcing are on the rise
The financial industry has already adopted a partial back office outsourcing model to reduce the need to invest in system infrastructures and facilitate business expansion. As regulatory and financial pressure intensifies, a growing number of institutions are moving one step further towards fully outsourcing their back office platform.
Middle office outsourcing has been more limited. Financial institutions are more reluctant to externalise those processes as they are more integrated with their front office activities and usually cover sensitive client facing activities. Nonetheless, appetite for partial middle office outsourcing is growing, as a result of the wider range of capabilities developed by technology and service providers.
Outsourcing has become a long term strategic game
Outsourcing enables two prevailing strategic goals:
- Refocussing on core competencies to improve performance and risk management
- Automating processes while variabilising costs to protect profitability
Financial institutions are reducing their involvement in peripheral activities, such as middle or back office operations, to cut down the time and money invested in upgrading legacy systems, hiring resources and managing staff turnover.
Outsourcing also provides benefits from a cost perspective. It offers an effective way of engaging in robotic process automation and can accelerate cost reduction during periods of lower business activity. Indeed, more and more vendors now offer cloud-based “Business Process as a Service” and pay-per-use models where customers are charged based on the number of transactions processed instead of the number of licenses or nodes utilised.
Banks tend to favour partnerships with independent specialist providers
Financial institutions looking at outsourcing can either turn to another financial institution that has developed a scalable solution or partner with an independent provider. We have observed to date a preference for the later.
This preference can be explained by the growth and maturation of the independent specialist outsourcing market. With falling computing costs lowering barriers to entry, financial institutions have access to a growing pool of potential partners, striving to differentiate themselves by building cost-effective innovative solutions faster than their competitors.
Moreover, partnerships between banks can raise strategic concerns. While banks outsourcing their operations might be unwilling to give competition access to their transactional flow, outsourcing providers may hesitate to facilitate the growth of competitors.
Managing regulatory constraints and requirements
One of the key steps of the decision process is the assessment of the feasibility of the outsourcing project from a regulatory perspective, which is often more complex in the Asia Pacific region than in Europe or the US:
The amount of regulations that come into play can appear to be overwhelming. A financial institution looking at establishing an outsourcing arrangement at regional level will on average have to consider more than ten distinct regulatory frameworks.
Further, outsourcing regulations across the region are not homogeneous. Regulatory approval requirements, for example, can differ significantly from one jurisdiction to another.
Thoroughly analysing the impact of regulatory requirements is therefore primordial. By-passing this critical step has the potential to materially affect the ROI or jeopardise the feasibility of the project.
Selecting a partner in line with the sourcing strategy and risk appetite of the bank
Outsourcing critical activities such as settlement or valuation can have a significant impact on the profitability/risk profile of an institution and the servicing of its customers. It is thus essential to select a partner in line with the organisation’s outsourcing strategy and the boundaries set by its risk framework.
This is however easier said than done:
- The proliferation of “fintech” options has made the shortlisting of candidates more time consuming.
- Frameworks articulating the strategic objectives and boundaries within which the organisation is willing to operate are not always clearly defined.
- The risk assessment process is becoming more complex, as regulators turn up the pressure on “outsourcing risk”.
More often than not, the selection process will involve trade-offs that need to be carefully thought through.
Sia Partners Approach
We have developed a 3-step structured approach to help our clients make the most of their outsourcing opportunities:
If you are interested in discussing how we could support your organisation on its decision making journey, please contact our teams in Asia.
Please find here the full version of the article for further reading.
BNP Paribas, “Middle and back office outsourcing for banks and brokers – Preparing for the international stage – Asia”, Nov. 2014
Copyright © 2016 Sia Partners. Any use of this material without specific permission of Sia Partners is strictly prohibited.