In the payments landscape, there is a drive to improve the customer payments experience combined with the need for more efficient and scalable payment processing;
As FIs investigate the option of transitioning their back-end payments processing systems to the cloud, the security of payment data needs to be ensured;
In March 2019, Capital One, a US bank holding company experienced a major data breach. The hacker gained access to personal information related to credit card applications of more than 100 million customers;
Capitol One had used cloud hosting company Amazon Web Services (AWS) to store the personal information of its customers received from their credit card applications. The hacker was able to gain access by “exploiting a mis-configured web application firewall.”
Point of View
As we increasingly shift towards a digital economy, there is a growing need for organisations to keep up with evolving customer demands; quick and frictionless. To meet these needs, organisations are investing in digital transformation programs to streamline and simplify internal processes. As part of such programs, organisations are incorporating cloud technology to help achieve flexible and on-demand access to critical services.
In the payments landscape, there is a drive to streamline the customer payments experience combined with the need for more efficient and scalable payment processing. To help achieve these goals, payments organisations are investigating the option of moving their payments systems to the cloud. Investment in cloud technology is steadily increasing as organisations recognise the benefits that can be gained by adopting this technology:
Lower costs – Organisations can cut down on physical IT infrastructure that can be expensive to purchase and maintain. Costs shift from being a high, upfront, capital expense to an ongoing operational expense, proportionate to the size of their business.
Control - Organisations will have complete visibility and control over data that is stored in the cloud and can choose which end users have what level of access to what data.
Improved scalability - Cloud-based systems require less capital expenditure to implement than physical systems and are scalable to meet the changing needs of the business. Payment data is managed and stored via a data centre, so capacity is not an issue. Organisations can pay for what they need and purchase more as their business grows.
As organisations look to adopt cloud technology, a developing business model would be for organisations to migrate their payment systems to the cloud. An example would be the migration of back-end payment processing. Financial Institutions (FIs) have relied predominantly on hardware solutions. Card accepting devices like EFTPOS terminals have traditionally been built with stringent hardware security. Back-end payment processing has occurred through on-premise networks and servers. Using cloud technology, FIs have the option to shift their payment systems, including networks and servers to the cloud. To date, FIs typically select a hybrid cloud environment, which is a combination of on-premises, public and private cloud solutions with data shared between them.
By adopting cloud technology for payments processing, organisations need to manage the risks accordingly. When moving sensitive customer payment data to the cloud, the security of this information needs to be assured. Given the sensitive nature of payment data, there is a critical need to ensure data is secured from a possible breach. Organisations and regulators alike need to ensure this data is secured by meeting the industry’s strict security requirements.
In March 2019, Capital One, a US bank holding company experienced a major data breach. The hacker gained access to personal information related to credit card applications of more than 100 million customers. Among the personal data exposed were names, addresses, dates of birth, credit scores, transaction data, Social Security numbers and linked bank account numbers. Capitol One had used cloud hosting company Amazon Web Services (AWS) to store the personal information of its customers received from their credit card applications. The hacker was able to gain access by “exploiting a mis-configured web application firewall.”
All financial institutions rely heavily on cryptography in transaction processing, including endpoint authentication, secure communications and card/PIN verification. To provide high levels of cryptographic protection, FIs rely on hardware security modules (HSMs). These devices are responsible for the secure generation and storage of the cryptographic keys that are used throughout the payments system. They also act as dedicated cryptographic processing devices, ensuring that the cryptographic keys for the cardholder data being processed by the servers are genuine. Payment HSMs normally provide native cryptographic support for all the major card scheme payment applications. They also undergo rigorous independent hardware certification under global schemes, such as PCI HSM.
Payment HSMs play a crucial role in the security of customer payments data. Financial institutions depend on these devices to provide a high level of assurance for the confidentiality and availability of cryptographic keys and all private data being processed. As FIs look to transition their payment processing systems to the cloud, they need to evaluate their HSM strategy. FIs must either continue to house their payment HSMs in their on-premises data centre or outsource the service to a third-party provider. This third-party provider should also have an additional connection to the cloud. At the moment, there are no dedicated payment HSMs that can be used for payments processing in the cloud.
Currently, there are guidelines available that outline the security obligations for organisations and third-party providers when implementing cloud services. However, these guidelines are not enforced, neither are they specific to payments.
Guidelines for Secure Cloud Payment Services
The Australian Prudential Regulation Authority (APRA) updated its outsourcing regulations in July 2017. ARIs (APRA regulated institutions) are required “to perform due diligence and apply sound governance and risk management practices to their outsourcing of a material business activity including via their cloud services.”
Amazon Web Services (AWS) in its User Guide states that, cloud security is a shared responsibility. “AWS manages security of the cloud by ensuring that AWS infrastructure complies with global and regional regulatory requirements and best practices, but security in the cloud is the responsibility of the customer.” This means that the customer retains control of the security program they choose to implement to protect their content, applications, systems and networks. This should be done no different to how applications in an on-site data centre are protected.
While the migration to the cloud opens up many opportunities in payments, it also poses a number of challenges that need to be managed along the way. One, financial institutions will need to consider their HSM strategy – the role that dedicated payment HSMs play in the payments life-cycle. Second, there needs to be set guidelines for migrating payment processing systems to the cloud. Given the sensitive nature of payment data, these guidelines should be mandated by the regulators so that FIs adhere by them to ensure utmost security of customer data.