Written by Sean Ventura, Chief Information Security Officer. This article was originally published on PaymentsJournal.
When you think of bank security, the vault is probably the first thing that comes to mind. All of your wealth locked behind a foot of steel and concrete. For decades, that was enough to protect a bank’s most valuable assets.
Today, we’re managing a second vault: one filled with customer data, locked behind layers of encryption. The trouble is that today’s bank robbers aren’t working with dynamite, like in the westerns; they’re behind powerful computers. Many banks are still reliant on mainframes because of the processing power they provide – and because they’ve performed well for decades. But legacy systems that manage a bank’s digital activities may not be as prepared for this new kind of criminal as they need to be.
Fixing the problem doesn’t necessarily involve abandoning legacy systems, however. The rise of clouds such as Microsoft Azure provides for a hybrid approach – with the cloud functioning as a new vault door, protecting functions that provide access to data, such as customer login.
Two security standards, one long-standing and another on the horizon, are driving greater acceptance of the hybrid cloud-mainframe approach among financial institutions.
PCI-DSS: A new solution to a banking standard
Banks are no stranger to the regulations surrounding cybersecurity – for more than a decade, the major credit card providers have enforced PCI-DSS compliance, guiding banks through the proper channels of securing data.
PCI-DSS’ core components have remained the same over the years, such as maintaining a strong firewall and keeping data encrypted. However, PCI-DSS’ governing body continues to update the regulations as new threats emerge, meaning banks that were once compliant may no longer be. Although security is a critical function, keeping up with compliance can be a full-time job – and FI information technology teams are often stretched thin, as banks roll out more innovations to remain competitive with fintech startups.
In response, some FIs have turned to cloud managed service providers. The cloud MSP becomes a middleman, hosting some of the bank’s PCI-DSS-related controls on its servers and bridging customers from public portions of the FI’s website or application to their personal data. By choosing a cloud MSP, FIs share (and reduce) the risk of a data breach with a partner focused on security – and give their IT teams breathing room to focus on long-term projects.
PSD2: An answer to tomorrow’s expectations
PSD2, which went into effect in the European Union last year, could also expand cloud adoption in the U.S. financial sector if Congress were to pass similar legislation – a possibility bank directors are closely watching.
Although PSD2 is less focused on security and more focused on customer preferences, its rules will ultimately necessitate more advanced security practices. PSD2 requires FIs to open what was once proprietary customer data to any company its customers permit – meaning retail giants such as Amazon could process transactions without the bank’s involvement using application programming interfaces (APIs). It also allows Account Information Service Providers (AISPs) to aggregate financial data, clearing the way for apps that could provide a single view of all of a customer’s bank accounts and credit cards into one dashboard, regardless of the different FIs that they reside in.
Because APIs will serve as new doors between customers and their financial data, it’s critical FIs build and house their APIs in a protected environment. As it does with PCI-DSS compliance, the cloud provides a security structure around these APIs that alleviates the security upkeep burden on an FI’s IT team.
The cloud will play another critical role in PSD2: enabling innovation. As more companies gain access to customer financial data, banks will encounter growing competition for customer attention – the rise of AISPs will eliminate the need for customers to log in to their account, reducing their interaction with the bank. The cloud offers a platform for FIs to build and launch new offerings and applications that will help protect their revenue stream in an increasingly crowded market.
A door to greater security – and new opportunities
Cloud migration can seem like an overwhelming, costly task. However, for banks that are happy with their current mainframes, it’s not necessary to make a radical shift. By investing in the cloud to protect existing data structures, you can strengthen your security measures without moving your data – and prepare your IT team for the competitive and cybersecurity challenges that lie ahead.