Changes in regulations, and the competitive landscape are disrupting the payment ecosystems. This article explains why concerted action on crypto is needed by the banks’ CEOs and CISOs.
Disruptive change from all sides
Changing competitive landscape
The long stable banking world is currently being challenged by external intruders like Apple, Google, Microsoft, or Alibaba. A multitude of Fintechs is entering the market with value propositions around payment and analytics.
Regulation and standard-driven change
Banking regulations like the European Payment Service Directive 2 force banks to open up their payment APIs to Fintechs creating an agile ecosystem of replacement but also coopetition.
A new PCI standard puts the lever on security: PCI PTS HSM v3 forces banks to replace insecure Hardware Security Modules and to replace them with new HSM designs, which are built around key blocks. Many of the new HSMs are not backward compatible, requiring lots of adaptations in banking applications, when the HSM backbone is being replaced.
Consolidation on the supplier side
The growing integration of cryptographic components and the pressure for rapid innovation started an ongoing wave of mergers and take-overs. In many cases, a multi-sourcing strategy lost its validity as suddenly former competitors ended up being part of the company.
Resulting and unavoidable infrastructure changes - a chance in a life-time to clean up the legacy infrastructure
What appears like a threat to the banking world is actually a great opportunity, comparable to the time of deregulation in the telecom sector during the 1990s. As a result of the deregulation, established telecoms boomed, fueled by ecosystems of startups and service providers around them, eager to dock onto their infrastructure and to co-create service proposals.
The banks have the same opportunity. As cash-based payments keep on losing importance, more and more payment related services are routed through the banks.
The regulation-driven change of infrastructure can now help to improve the banks’ competitiveness.
What are the processes concerned?
When talking about payment, we think about three four axes:
- ATM involving cash withdrawals,
- Card Not Present Transaction (CNP),
- EFTPOS This and CNP is currently covering a big percentage of the payments. However, parts of it are moving to alternatives,
- Payment Apps, the fastest growing segment, involving big players like Apple Pay, Paypal, Google Pay or Alipay. However it also includes many Fintechs, docking on the bank infrastructures to co-create service offerings.
Traditional mainframe systems where optimized on handling ATM transfers. The challenge is that their rather monolithic structure is not good at coping with the ecosystem driven open innovation from the Payment App axis, which led to the emergence of countless new services driven by intruders from a non-banking background.
Consequently the banking application software market is also undergoing disruptive change. Traditionally dominated by the mainframe providers IBM and HPE, today the biggest growth (%) can be seen with more service oriented providers like Microsoft, Temenos Group or SS&C Technologies.
Close cooperation of CEO and CISO
Good crypto infrastructure needs to be able to service all 3 axes, be flexible, manageable (meaning not too complex), compliant and allow for central and comfortable auditability.
Decisions on cryptographical infrastructure are by default strategic as they determine the banks future strategic scope of manoeuvre and how quickly it can respond to market requirements and service opportunities.
In the same time, c-level business decisions cannot be taken without consulting the CISO and his or her crypto team, as they have to provide an infrastructure which is able to accomplish the bank’s strategic goals and which is compliant to the regulations in the envisioned fields of activity.
Also simple managerial factors like total cost of ownership (TCO), compliance and risk mitigation through dual vendor strategies need mutual understanding.
In our next blogs...
In the next blogs we will dive deep into these aspects and look at the parameters to be tuned, including managing the risk of (key) migration, Total cost of ownership, reduced complexity / simplicity, flexibility, dual vendor strategies and PQC-proof infrastructures. Our series on total cost of ownership sheds light on each of these aspects from technical and strategic perspectives.
We did not address cloud as an independent axis as it is not a strategic alternative but a way of providing and implementing the service offer in a trade off of advantages and disadvantages (read more in our extended article on architectural alternatives and in our series on cloud subjects and Utimaco’s Crypto Server Cloud).
About the author
Ulrich Scholten is an internationally active entrepreneur and scientist. He holds a PhD in information technology and owns several patents on cloud-based sensors. His research on cloud computing is regularly published in highly rated journals and conference papers. From 2008 - 2015, he was associated research scientist at the Karlsruhe Service Research Institute (KSRI), a partnership by KIT and IBM, where he researched network effects around web-platforms together with SAP Research.