Naganand Jagadeesh, ThoughtFocus’ Business Head, of Payments, offers fascinating insights into the rapid changes occurring within the payments processing industry. With over twenty years of overall technical experience, Naganand is a technology strategist and proactive leader with the proven ability to build strong business relationships, manage international clients and distributed delivery teams, and create strategic roadmaps.
Has the COVID-19 pandemic substantially impacted the payment processing sector?
Naganand: The pandemic has impacted the payments industry in both good and bad ways. The immediate short-term hit was the decline of overall transaction volume, especially face-to-face. Now, the payments industry is tilting heavily toward investing in contactless payment mechanisms. Tap-and-go solutions, wallet programs, and card-on-file solutions are gaining traction at retail establishments and gas stations. Gas stations are even looking at solutions that allow consumers to operate gas pumps from their mobile phones.
The pandemic has also accelerated payment processors moving their technology to the cloud—a transition that was already well underway. While contactless payments are in demand for physical transactions, the pandemic has resulted in a much higher online shopping rate offering new opportunities for many e-retailers. By nature, an e-commerce business can be quickly expanded to new markets and geographies. Moving to the cloud allows rapid response regardless of where the customer is located, facilitating geographic expansion and new market opportunities.
The accelerated implementation of touchless payment systems and the cloud’s ability to balance the load of markedly increased online shopping activity has been two large impacts.
Do payment processors have any reservations about moving to the cloud?
Naganand: If you had asked me 18-24 months ago, I would have said that payment processing companies aren’t racing to move to the cloud. Security and PCI compliance bottlenecks and the fear of service disruptions were at the top of the industry’s mind, and these fears were understandable.
Payment processors are bound by PCI DSS and, in Europe, GDPR compliance standards. Additionally, payment processors must adhere to their country-specific regulatory requirements. Most regulatory organizations traditionally required onsite audits, and there was a sense that operating on-premise data centers lead to more security and control.
Payment processing companies felt anxious about service disruptions, the actual location of their data, and how auditors would be able to review and sign off on data management control systems. Perhaps most importantly, with data off-premise, how would they know that the right data security constructs are in place?
Fast forward to today, cloud providers can readily create complete, secure, and PCI-compliant environments—really, “PCI-compliant infrastructure-in-a-can.” Within days, they will set up an isolated container on the cloud-ready for the payment processing company’s IT team to begin deployment.
The environment is secure and compliant, and maintenance is easy. Our work at ThoughtFocus reflects this movement to the cloud. We have payment processing clients who have transitioned 100+ servers to the cloud on AWS. While moving in the direction of the cloud, other clients still have a combination of data center and cloud-managed data. However, clients who have developed their solutions from the ground up have adopted serverless architectures, fully leveraging the cloud platforms’ computational capabilities.
Cloud computing is the way forward, and the cloud platform providers themselves are becoming more and more aware of all the regulatory nuances and required security measures.
As payers continue to move to card-not-present payment, are there new data security concerns?
Naganand: The movement to card-not-present payments is further digitizing the way payments happen, so data security efforts will need to keep pace. As the focus jumps back to e-commerce and card-on-file scenarios, fraud management will become a key focus area. In such cases, prediction, prevention, and remediation are critical.
Fraud management solutions will be deployed at various stages of transaction processing and predominantly based on AI/ML advancements and algorithms. Primary payment service providers at the first level of acquiring will focus on early prediction strategies where the goal is to stop fraud before it is even routed to processors. Suppose prediction technologies miss a fraudulent payment, and it makes its way through to a processor switch. In that case, more complex prevention strategies employed by the larger acquirers, card schemes, and issuers will kick in to identify and decline bad transactions. If a fraudulent transaction surpasses even prevention technologies, remediation falls on the merchant or the processor company in conjunction with the issuers.
There is, and will continue to be, substantial investments in fraud management technology.
While investing in keeping payment processor platforms compliant, what more should processors do to enhance the platform security for better cardholder data protection?
Naganand: I have often mentioned in my presentations that there is a tendency in the payment space to confuse compliance and security aspects of a platform. Processing platforms need to be continuously enhanced to adhere to card brand mandates to stay compliant and qualified as a certified platform. However, staying compliant does not automatically ensure the security of cardholder data. This has to be exclusively built into the system to protect cardholder data and render any unwanted intrusions into the system worthless.
Payment processing companies need to invest heavily in tokenization and encryption technologies to prevent exposing payment data. Advanced key management protocols are typically put in place in addition to encryption solutions built into the platform.
M&A activity has dramatically escalated within the payment processing space. What technology considerations should payment companies consider as mergers and acquisitions occur?
Naganand: There are several large payment processing organizations in the process of merging, and there are a couple of factors driving this.
One, the US’s acquiring landscape has been very fragmented compared to other parts of the world—there were just too many players in the American payments ecosystem.
The second reason is innovation. The large companies in the space are traditionally slower to innovate, so they acquire smaller companies with desirable innovations. They are often acquiring relatively modest user experience innovations, but purchasing these small companies is a lot less expensive than developing them independently.
The cloud has a lot to offer from a technology integration standpoint during M&A activities. Microservices and containerization make it much easier to use scaffolding solutions to blend the two organizations’ technology infrastructures—much easier than trying to make two legacy systems talk to each other.
Are payment processors using offshore teams in new ways as they strive to reduce costs, improve efficiency, and increase innovation?
Naganand: Payment processors continue to use offshore teams to manage routine and repeated business tasks so that internal teams can focus on high-value activities. For example, earlier I mentioned the rapid roll-out of touchless solutions. However, the work to qualify a new payment system to move into production has become very involved and complex. The required repetitive testing often takes four or five months and is perfect for an offshore team, allowing onshore engineers to spend time performing high-value work.
What has changed in the last three to four years is the increased integration of offshore and internal onshore teams. Traditionally, clients would give their requirements to the offshore provider to work on their own. Updates were provided once a week or once a month, but it was not a routinely collaborative process. Working under a traditional waterfall construct, the project either hit the mark, and the client was thrilled, or the work missed the mark leading to additional costs and disappointment.
Thankfully, this construct has transitioned into an embedded Agile model. Regardless of where a worker is physically located, they are part of team sprints. Daily calls and interactions with the scrum master and the team members keep the entire distributed team on the same page and allow for corrections as needed.
With Agile, the feedback is instantaneous, and anything moving off course can be adjusted quickly. This working style goes a long way toward blending time zones—it doesn’t matter where a specific worker is located anymore. Most importantly, the efforts of the team are integrated.
Payments innovators seem doomed to fight the same battle over and over. Even when they win the battle, they find themselves facing the same enemy, just in another place. Fraud is perhaps the most potent example today.
Take credit card fraud. It was common knowledge that Europay / Mastercard / Visa (EMV) would be a powerful weapon against fraud, but just one kind of fraud – cloned card fraud. And there was the history of what happened in other countries when EMV was implemented: other kinds of fraud spiked. Fraudsters didn’t decide to become respectable shopkeepers just because EMV closed off one of their favorite routes to ill-gotten gains.
And sure enough, today, in the wake of the U.S. fraud liability shift and widespread EMV implementation, cloned card fraud is down, but eCommerce fraud is higher than ever, according to Experian data, with a net increase in overall fraud. Pymnts.com reports, “According to the Federal Trade Commission, the percentage of consumers who reported that their stolen data was used for credit card fraud basically doubled year on year from 16 per cent in 2015 to more than 32 per cent in 2016.”
Worse, Experian expects eCommerce fraud to get worse before it gets better. Fraudsters are upping their game, consumers are still falling for scams to an astonishing degree, while companies trying to protect them face a dire shortage of good-guy cyber security experts.
TechRepublic reports, “The shortage of skilled cyber security professionals is only growing worse, with the projected talent gap reaching 1.8 million jobs by 2022.” Moreover, “A recent report from ISACA found 55% of organizations reported that open cyber positions take at least three months to fill, while 32% said they take six months or more. And, 27% of US companies said they are unable to fill cybersecurity positions at all.”
So once again, as payments innovators inspire fraud Whack-a-Mole, it’s a good time to ask, are you making security an integral part of any payment innovation? Does it always have to be an add-on, while fraudsters get rich by taking advantage of the lag time? eCommerce is an incredible success story – almost $100 billion a quarter and still growing steadily. But will fraudsters be the ones who profit most?
Not if organizations disavow piecemeal treatment of payments two imperatives: compliance and security. Brick-and-mortar operations may have been secured once your organization is EMV-compliant, but there’s the whole payment ecosystem of your business to consider. The security world is rife with vulnerabilities appearing in the gaps between otherwise faultless implementations. The solution: Treat compliance and security holistically – ensure that your trusted advisors create comprehensive solutions, even when the challenges appear to be one-off. The growing connectedness of all things payments-wise will only exacerbate today’s vulnerabilities.