In financial services, demand for ease of use and security are sky-high, even for business customers. But for many service providers, achieving one can often mean compromising the other.
Payments and financial service providers are facing an even greater challenge in balancing these two capabilities in the age of open banking and cloud migrations, with more opportunities than ever before for sensitive company and customer data to be compromised.
Lior Cohen, senior director of cloud security products and solutions at cybersecurity firm Fortinet, recently told PYMNTS why the digitization initiatives many payment service providers undergo in the name of better customer experience can exacerbate security risks.
“Financial services and payments companies today are required to enable and support innovative new ways for customers to conduct financial transactions from any device, and from any location, without exposing themselves or their data to risk,” he said.
As such, services integrated into mobile phones, tablets, computers, Internet of Things (IoT)-connected devices and more may mean a more convenient service for end-users, but as Cohen noted, this monumentally increases the “attack surface” upon which cyberattackers can infiltrate and compromise.
A Regulatory Minefield
The cloud has emerged as an essential tool to enable financial service providers to digitize and remain agile enough to provide the kinds of convenient, responsive services and products their customers require. But cloud migrations are often complex, particularly when it comes to remaining compliant with the mounting regulatory initiatives designed to address growing security risks in the financial services arena.
Cohen pointed to regulations like PCI-DSS, developed by the Payment Card Industry Security Standards Council for merchants that accept in-person and digital payments to safeguard the data of their customers and payment cards, as well as GDPR (General Data Protection Regulation) in Europe.
Other regulations adding weight to financial service providers’ compliance burden include Europe’s PSD2 and the U.K.’s Open Banking, which promote end-customer ownership of financial data and enable those customers to allow for banks to share their financial data with third-party service providers.
These regulatory initiatives center around both end-user experience and data security, but as Cohen noted, they “add extra complexity and risks to cloud migrations if security isn’t part of an organization’s cloud strategy from the onset.”
Regulatory mandates “seem to update every year,” he added, meaning service providers will continue to have to stay on their toes to keep security and compliance at the center of their cloud migration and digitization initiatives.
Greater Security Without Compromising UX
The combination of an expanded attack surface and intensifying security regulations has financial service providers investing heavily in cybersecurity and other data protection technologies.
While that focus on data security is positive for the industry, Cohen warned that it can also hamper financial services players’ other key focus on promoting a better end-user experience.
“Financial services firms deploy more and more point security products to cover the gaps created by the expanding attack surface,” he explained. “The resulting security silos obscure visibility, grow operational inefficiencies and increase risk.”
It’s in this way that payment and financial service organizations’ security investments can actually backfire, rendering firms less able to address security lapses from one platform, product and security tool to another.
Those silos can also compromise the ability for a financial service provider to provide the seamless, elevated user experience they’re pursuing by migrating to the cloud in the first place.
Cohen noted that security incidents, however, can harm a user experience or customer relationship with a service provider, sometimes irreparably.
“In the financial services and payments industries, the implications of a security event are multifaceted,” he noted. “End-user credential loss can have very immediate financial implications to customers, and in turn to the organization’s reputation.”
Continuing to invest in cybersecurity and data protection capabilities must remain a priority as both security threats and regulatory requirements grow. However, as Cohen added, it’s up to payment and financial service providers to balance their compliance and security initiatives with the elevating demand for better user experiences and digital products.
For many firms, that will mean a strategic approach to deploying qualified staff toward security and compliance initiatives without taking experts away from more strategic initiatives within the enterprise, said Cohen. And with security at the top of the priority list for service providers migrating to the cloud in the name of better customer experience, businesses can strike a balance between maintaining data integrity and product innovation.
“With advanced security technologies in place,” Cohen said, “institutions can have more confidence in the exchange of data in the cloud, while maintaining high confidentiality and integrity.”