‘Remote is the new normal’ – How FinTechs can move towards remote payments security

Three trends have emerged in the last two years, largely because of the pandemic: more people than ever are accessing financial services online, most white-collar workers are working from home and cybercrime is at record levels. Together, these three trends could have a profound impact on payments security, particularly the security of FinTechs.

Although most people did not work from home in 2020, it is very likely that the majority of the FinTech industry did – while only 25.9% of Britons worked from home last year, that number grew to over 40% for professional and technical occupations, which would make up the majority of FinTech jobs. Recent research also estimates that 36.2 million Americans will be working remotely by 2025 and this trend is likely to be global, with many financial institutions consolidating and closing offices in favour of remote and hybrid working. With this in mind, the traditional model of either operating your own or using co-located data centres to house hardware and applications could present logistical challenges when your workforce is remote, and more so if your workforce is spread across the globe. This will especially prove costly and time consuming for payment companies operating within the transaction processing or card issuance field where key ceremonies are required and typically involve key custodians to attend multiple data centres that host the HSMs.  

Having a large increase of potential customers and a remote workforce creates vulnerabilities, and there has never been a worse time to be vulnerable to cybercrime. We are in the ‘age of the cyber-attack’, in which large-scale attacks are becoming a nearly daily occurrence and dozens of people and businesses will have lost money to criminals during the time it has taken you to read this paragraph. But, what can a company do when they face a ‘perfect storm’ of threats to their security?

Scaling up in the ‘new normal’

Typically, a company that handles a huge amount of internet traffic, such as a financial services company with large amounts of sensitive customer data flowing in and out, was to deploy a large server to handle the traffic and specialised components for certain important tasks – the Payment Hardware Security Modules (HSMs) that secure sensitive payment data during a payment transaction being one example. If the company in question had a surge in traffic, as happened to many companies during the last two years, then their only choice was to build bigger servers, with more hard disks for customer information and faster internet connections. 

Today, it’s impossible to imagine life without cloud-based services. They’re behind our emails (Gmail), our work lives (Microsoft Teams and Slack) and entertainment (Netflix, Spotify). They can also provide a solution for companies in the wider financial industry, and FinTech in general. Cloud services are unique in that they scale extremely well – there’s no large expense for buying more server capacity or downtime while it is installed. If a company sees a sudden surge of customers, around holidays like Black Friday for instance, then their cloud service provider should have the extra capacity to accommodate their needs. 

Platform-as-a-service (PaaS) and Infrastructure-as-a-service (IaaS) models are particularly valuable for smaller and start-up FinTech companies. IaaS replaces the storage and networking functionality that companies would typically host in an on-site data centre, while PaaS includes development environments that allow companies to create and deploy apps, websites and software in collaborative environments. Together these allow small companies to create solutions that can scale to any size – if a company needs more storage space, they can pay to be in a higher subscription tier, and it will come online almost instantly.

Having everything from customer data to the code that powers a FinTech company’s apps stored in the cloud also has security implications. Despite the maxim that ‘cloud-hosted just means somebody else’s computer’, it can be far safer to store data with a cloud service than on your own company’s server, especially if you lack the in-house expertise to manage specialised components required to comply with regulations for financial services. Even though cloud service providers are typically very large companies that can afford security teams it is still important for FinTechs to understand the shared responsibility model for securing cloud deployment.

Cloud-based payment security

But being able to develop, deploy and scale new payment solutions is only half the battle when the level of cybercrime is as high as it is in 2021. Although a customer’s information might be safely stored in a cloud data centre, that information still needs to travel from the customer themselves to the data centre when they enter it. In FinTech, using and transferring highly sensitive data like bank account details is vital to doing business, and data being passed between clients and their FinTech provider needs to be secured and encrypted to a very high standard.

HSMs can carry out all the important security tasks a payments company would need: validating PINs, processing transactions, issuing payment cards and managing cryptographic keys. However, they require specialist knowledge to operate effectively. Cloud-based ‘Payment HSMs as a service’ on the other hand can be deployed quickly, are paid for on a subscription basis, can be accessed and monitored remotely and are easily scalable.

Given how much of our lives is now cloud-based, up to and including our work lives, it seems sensible for FinTech companies to trust cloud-based systems for their development, scaling and security.

To learn more, download our latest webinar: Breaking Down the Barriers to Cloud-based Payments Solutions here.