Changes in regulations, and the competitive landscape are disrupting the payment ecosystems. This article explains why concerted action on crypto is needed by the banks’ CEOs and CISOs.
The long stable banking world is currently being challenged by external intruders like Apple, Google, Microsoft, or Alibaba. A multitude of Fintechs is entering the market with value propositions around payment and analytics.
A new PCI standard puts the lever on security: PCI PTS HSM v3 forces banks to replace insecure Hardware Security Modules and to replace them with new HSM designs, which are built around key blocks. Many of the new HSMs are not backward compatible, requiring lots of adaptations in banking applications, when the HSM backbone is being replaced.
The growing integration of cryptographic components and the pressure for rapid innovation started an ongoing wave of mergers and take-overs. In many cases, a multi-sourcing strategy lost its validity as suddenly former competitors ended up being part of the company.
What appears like a threat to the banking world is actually a great opportunity, comparable to the time of deregulation in the telecom sector during the 1990s. As a result of the deregulation, established telecoms boomed, fueled by ecosystems of startups and service providers around them, eager to dock onto their infrastructure and to co-create service proposals.
The banks have the same opportunity. As cash-based payments keep on losing importance, more and more payment related services are routed through the banks.
The regulation-driven change of infrastructure can now help to improve the banks’ competitiveness.
When talking about payment, we think about three four axes:
Traditional mainframe systems where optimized on handling ATM transfers. The challenge is that their rather monolithic structure is not good at coping with the ecosystem driven open innovation from the Payment App axis, which led to the emergence of countless new services driven by intruders from a non-banking background.
Consequently the banking application software market is also undergoing disruptive change. Traditionally dominated by the mainframe providers IBM and HPE, today the biggest growth (%) can be seen with more service oriented providers like Microsoft, Temenos Group or SS&C Technologies.
Good crypto infrastructure needs to be able to service all 3 axes, be flexible, manageable (meaning not too complex), compliant and allow for central and comfortable auditability.
Decisions on cryptographical infrastructure are by default strategic as they determine the banks future strategic scope of manoeuvre and how quickly it can respond to market requirements and service opportunities.
In the same time, c-level business decisions cannot be taken without consulting the CISO and his or her crypto team, as they have to provide an infrastructure which is able to accomplish the bank’s strategic goals and which is compliant to the regulations in the envisioned fields of activity.
Also simple managerial factors like total cost of ownership (TCO), compliance and risk mitigation through dual vendor strategies need mutual understanding.
In the next blogs we will dive deep into these aspects and look at the parameters to be tuned, including managing the risk of (key) migration, Total cost of ownership, reduced complexity / simplicity, flexibility, dual vendor strategies and PQC-proof infrastructures. Our series on total cost of ownership sheds light on each of these aspects from technical and strategic perspectives.
We did not address cloud as an independent axis as it is not a strategic alternative but a way of providing and implementing the service offer in a trade off of advantages and disadvantages (read more in our extended article on architectural alternatives and in our series on cloud subjects and Utimaco’s crypto server cloud).