How to prioritise security? Insights from the payment processing industry
When it comes to compliance and security, no other industry is as strictly regulated as the financial industry – especially when working with payment processing like we at Enfuce do. That’s the playground I have been in for the last 20 years. During all these years, I’ve learned to love the regulated and controlled environment.
In payment processing, we’re handling sensitive data about people and their payments. When you are dealing with money you need to be aware of the negative side, involving money laundering, human trafficking and terrorist funding. That’s why the strict regulations are more than justified.
For Enfuce, compliance and security are hygiene factors. If we do not operate in a compliant way, I can quit my job on the spot.
When systematic, industry-wide regulations that require compliance and security are missing, many industries rely on self-monitoring and following best practices. Unfortunately, the lack of these regulations often leads to industries falling behind. I’m certain that companies are not neglecting security and compliance factors on purpose. They have a lack of knowledge and understanding. For these companies, security is not a priority unless it has to be. Yet, regulation is a great way to make it one.
Security not being a priority for every company highlights the fact that we should share our knowledge across industries. The financial industry is a great benchmark and place to learn for many others.
Build, maintain, audit and repeat
Enfuce was the first company in the world who took payment processing to the public cloud. That was already years ago and I still hear arguments suggesting that the cloud is not a safe place to store sensitive or toxic data.
It is true that the security and compliance of on-premise solutions or the cloud shouldn’t be taken as a given. Security is all about how you build your solution, how you maintain it and the way you audit it. I often compare this to building a house. First, you create a building plan that includes for instance house strength calculations. This plan then needs to be approved by an external party before you can start the building process. When the house is complete, you constantly keep maintaining it.
This brings me to my greatest piece of advice: having a mindset we at Enfuce call compliance and above. It is a principle we have had from the beginning. So, when you are building a solution, make sure that it is secure also in the future as your business grows. Circling back to the house analogy – you don’t want to build a house where you find indoor air problems after a few years or realise that it’s way too small right after completing it.
Compliant and secure services do not mean bad user experience
One often-heard story is about security and how it leads to bad user experience. When we think about paying, only a few people like it. Consumers want to make their payments fun and effortless. One good example is Klarna. People keep using it when shopping online even though it is not based on strong customer authentication, which increases the risk of misuse. It just feels so effortless.
It’s easy to explain a bad user experience with security, but I see that as laziness. Technology is never the issue. The challenge is organisational silos and poor management. When I was working as a CIO, I wasn’t interested in the end-user experience. My performance was measured in other KPIs.
I’m sure that in the future we will see plenty of user-friendly, effortless, and secure payment services. Enfuce and I will stay at the forefront of this development.
This article was originally published in the 3/2021 edition of the Cyberwatch Finland magazine on 20 August, 2021.