Online banking has accelerated over the past two years, largely as a result of Covid-19, and the majority of previously office-based jobs are now based at home. These two trends have resulted in increased levels of cybercrime. Therefore, these emerging trends have had a major impact on payment security, especially in FinTechs.
In the UK, over three-quarters of the population uses online banking, with one in four having a digital-only bank account – although this figure sits at just below half of the population in London. Online banking use is also steadily increasing in the US, where it is predicted that digital banking users will surpass 200 million in 2022. Challenger banks such as Revolut and Monzo are now just as big as major traditional banks such as Barclays. However, unlike high street banks, there is a thriving ecosystem not just in the UK but worldwide, of FinTech start-ups that not only offer the same services as high-street branches, but provide a host of additional services, catering for everyone’s specific requirements.
While only 25.9 percent of Britons worked from home last year, it is likely that the majority of those working in the FinTech industry did as that number grew to over 40 percent for professional and technical occupations, which would make up the majority of FinTech jobs. Additionally, in America it is estimated that 36.2 million Americans will be working remotely by 2025, with this trend likely to be mirrored globally as many financial institutions across the globe close office doors or downsize offices in favor of remote and hybrid working. Therefore, there will be logistical challenges to the traditional model of either operating your own or using co-located data centers to house hardware and applications if a company’s workforce works the majority of the time at home, or even in different countries across the globe. This will especially prove costly and time-consuming for FinTechs operating within the transaction processing or card issuance field where key ceremonies are required and typically involve key custodians to attend multiple data centers that host the HSMs.
Having a large increase of potential customers and a remote workforce makes financial institutions even more vulnerable to cybercrime. We are currently in the ‘age of the cyber-attack’, in which large-scale attacks are becoming the norm and dozens of people and businesses are subject to fraudulent activity at every point of the day.
So, how can companies prepare and prevent themselves from security threats?
Adopting cloud-based services
Typically, companies such as those in the financial services industry that handle large internet traffic and store large amounts of sensitive customer data flowing in and out deploy a large server to handle the traffic and specialized components such as Payments Hardware Security Modules (HSMs) to secure payment data during transactions. Of course, over the past two years, many companies have seen a surge in traffic, meaning that their only choice was to build bigger servers, with more hard disks for customer information and faster internet connections. With increased traffic comes the need for increased security, as more transactions means that employees will be unlikely to be able to review each transaction and therefore putting them at more risk from fraudsters.
It was only in the early 2000’s when Amazon began rolling out what would become Amazon Web Services, which now has a 34 percent market share of the cloud services market and powers 9 million live websites, that cloud computing started to become a serious alternative to on-premises installations for companies and for private users.
Today cloud-based services are behind everything: our emails (Gmail), our work lives (Microsoft Teams and Slack) and entertainment (Netflix, Spotify), providing a solution for companies in the wider financial sector, and FinTech in general. A major advantage of cloud services is that once you sign up to a service, its capacity can easily be upgraded without any major cost or disruption. Therefore, if a company sees a sudden surge of customers, around holidays like Black Friday for instance, then their cloud service provider should be able to add extra capacity, accommodating the company’s needs with ease.
Platform-as-a-service (PaaS) and Infrastructure-as-a-service (IaaS) models are particularly valuable for smaller and start-up FinTech companies. IaaS replaces the storage and networking functionality that companies would typically host in an on-site data center, while PaaS includes development environments that allow companies to create and deploy apps, websites and software in collaborative environments. Together these allow small companies to create solutions that can scale to any size – if a company needs more storage space, they can pay to be in a higher subscription tier, and it will come online almost instantly.
Of course, having everything from customer data to the code that powers a FinTech company’s apps stored in the cloud comes with its issues. Despite the general rule that ‘cloud-hosted just means somebody else’s computer’, it can be far safer to store customer data with a cloud service than on your own company’s server. This is especially true if you lack the in-house expertise to manage specialized components required to comply with regulations for financial services. Even though cloud service providers are typically very large companies that can afford security teams it is still important for FinTechs to understand the shared responsibility model for securing cloud deployment.
Cloud-based security solutions
With cybercrime as high as it is currently, being able to develop, deploy and scale new payment solutions is only the starting point – security is also needed. Although a customer’s information might be safely stored in a cloud data center, that information still needs to travel from the customer themselves to the data center when they enter it. In FinTech, using and transferring highly sensitive data is necessary, meaning that any data being passed between clients and their FinTech provider needs to be secured to a very high standard.
Therefore, self-hosted Payment HSMs may be able to complement a company’s cloud computing and help FinTech companies meet compliance demands. For growing companies that might have less working capital to spend on expensive hardware and who may lack the specialist skills to operate these critical pieces of equipment then cloud-based Payment HSMs are also available.
With the majority of people using cloud-based services in their day-to-day lives, it only seems like the sensible decision for FinTechs to trust cloud-based systems for their development, scaling and security.
Eyal Worthalter is Vice President – Global Solution Sales, MYHSM by Utimaco