The third-party piece

Nicola Griffiths, Account Manager for MYHSM, and John Cavebring, Founder & CEO of Hips, discuss the impact of Cloud-based managed services on compliance

Serial paytech entrepreneur John Cavebring recalls how, during product development for one of his early startups, there was no alternative but to invest in hardware security modules (HSMs), just to run the tests.

“It’s extremely expensive hardware, too, and it was just lying around the office for years after that, not being used,” he says.

By the time he came to found Hips Payment Group in 2016, an alternative option had become available: hardware- as-a-service (HaaS), delivered in the Cloud. As a Cloud-based provider itself, it made absolute sense for Hips to partner with an expert in such systems.

“Our main goal at Hips is to make a platform available for any merchant or company that wants to go into the payments industry without breaking any rules, so they can focus on what they are good at,” says Cavebring.

“Whether they are a mobile phone company, or a small merchant selling flowers, they do that best, paying a small fee for us to ensure everything around them is compliant.”

Equally, Cavebring says, if every business it’s servicing downstream is concentrating on the things it is good at, ‘Hips itself is not doing HSMs’. Instead, it looks to MYHSM ‘because it not only has all the hardware, but also the licences that come with it’.

It’s an area of expertise that requires not only a dedicated team, but relentless monitoring and updating as the regulations change.

MYHSM concentrates exclusively on providing payment hardware security models and related compliance, including

Payment Card Industry (PCI) certification that regulates critical functions, such as how a PIN is transferred and encrypted. And it’s all delivered via the Cloud.

Nicola Griffiths, account manager for MYHSM, believes the technology is the key influencer in digital disruption.

“The Cloud is an essential platform for catalysing innovations in the fintech sector,” she says.

“It allows fintechs to innovate without constraints; it can provide faster time to market; and it allows them to focus their valuable IT resources on developing applications that will ultimately differentiate their businesses and transform customer experience, without the burden of managing infrastructure and datacentres, and the associated costs.”

The backdrop to MYHSM’s relationship with Hips and many others is an atomisation of financial services – myriad payment options offered by non-traditional providers, from the contactless payments vending machine where you grab a coffee at the airport, to the invisible Uber transaction you make on your short trip from the terminal to a meeting, and the QR code you scan to pay and play at the golf course after work.

They all share the common need to be not only secure, but also trusted to be so by consumers.

Arguably, many of these wouldn’t have been possible without innovative fin/ paytechs relying on Cloud-based, thirdparty solution providers to ensure the risk remains proportionate as they scale.

“More and more companies are moving into fintech that aren’t typical players, because it’s so easy to do now with Cloud-based regulation-as-a-service and HaaS,” observes Cavebring.

MYHSM supports them by offering a test service, so they can securely and inexpensively develop payment apps using the latest payment HSMs, on either in-house IT infrastructure or in a Cloud services environment, such as Amazon Web Services, Azure or Google. All MYHSM services are accessed over industry-standard networking services, to guarantee the privacy of transactions.

Griffiths adds: “We can help provide speed to market and help them adopt a multi-Cloud strategy. We also take care of the management, monitoring and system maintenance, via our online portal, which also allows our customers to monitor their data usage, track their performance stats, and check their latency status.

“Our test service allows fintechs to develop and test their payment applications, whether on-premise or in the Cloud, in as little as three days, after which they can be migrated to MYHSM’s live service where they’ll have access to three payment HSMs in two geographically- separate data centres, providing resilience and 99.999 per cent availability. Our aim is to encourage the growth of the fintech industry, and support them from the early testing phase through to the live transaction. We do that by providing a fully-managed and compliant service, at a very cost-effective price.”

In effect, it’s like owning your own payment HSM, except ‘the string is a little bit longer’, says Griffiths, with MYHSM providing its own secure, scalable, hosted environment for clients like HIPS.

Where data is stored and whether it can be traced easily, are among the key addresses to be addressed before opting for a Cloud-based service, because outsourcing regulation doesn’t mean outsourcing responsibility if data security is breached or cannot be traced. But it does mean someone else is keeping an eye on the compliance landscape for you.

Financial regulation is a ‘work in progress’, reflecting the evolution of technological threats and industry advances more generally. The latest, version 4.0 of Payment Card Industry Data Security Standards (PCI-DSS), for example, is expected to be ready by the year-end. While its 12 core requirements, including regularly updating and patching systems and conducting vulnerability scans, to name two, will be retained, it is also likely to be updated with a requirement to ‘promote security as a continuous process’. This reflects changes in the threat landscape and acknowledges the need for more flexible solutions in help organisations meet their security objectives. It’s an onerous task, if it’s not your core business and it’s often not done well. As Verizon noted in its 2020 Payment Security Report (PSR), ‘poor performance in compliance assessments isn’t spontaneous, it’s the outcome of a sequence of activities and events based on strategic planning – or lack thereof. Unless the security and compliance strategies, business and operating models are improved, it’s mostly symptoms that are addressed’.

The report goes on to state that, on average, just 27.9 per cent of global organisations fully complied with the PCI-DSS at the time of publication. More concerning was that this is the third consecutive year of such poor compliance.

That degree of disregard for a key piece of risk management wouldn’t be tolerated

by an external service provider, adding weight to the argument that Cloud-based services are, if anything, more secure than those owned and maintained in-house, so long as robust third-party protocols are put in place.

The relationship between MYHSM and Hips is a case study in how the service relationship works well in the interests of paytech (and consumers), especially for companies pushing into new territories, such as crypto, where, in the absence of close regulatory control, the industry has, by and large, had to prepare its own rulebook. As cryptocurrency adoption broadens beyond trading to a currency accepted as a payment method by online and high street merchants and supported by card issuers, Hips has pushed resolutely into that space.

Most recently, it launched the Merchant Token (MTO), issued on Ethereum, alongside the Merchant Protocol (HMP) and the Hips Merchant Protocol Gateway (HMP- gateway). By incorporating consumer protection concepts from the traditional card payment industry, and applying it to any blockchain with support for smart contracts, like Ethereum, Cardano (ADA) or Solana, the initiative is attempting to bring confidence and popularity to a payment surrogate that has lacked both.

As Cavebring puts it: “The consumer-oriented features of the MTO are the missing piece for crypto payments to achieve market penetration and mass-adoption among mainstream consumers." That includes, he says, processing speed at very low cost.

“Hips Merchant Blockchain’s near-real-time transaction speeds are a vast improvement on current blockchain responses. Its Merchant Protocol is not only built for Ethereum, but also on Solana, a blazingly-fast public blockchain which supports over 50,000 transactions per second, has block times of 400 milliseconds and a transaction cost of roughly US$0.00001.”

The first trial of the MTO was announced a few weeks after its launch – a partnership between Hips and payment processor The Payment House, which will enable more than 20,000 taxis in Scandinavia and 10,000 in the UK to accept crypto-payments, at real-time transaction speeds.

Hips is working in other areas of the payments space, too – in particular SoftPOS, ‘which enables more or less any Android device to become a POS terminal with contactless payments’, as well as QR payments that don’t rely on a proprietary app. “We’re looking at ways of using QR scanners, and paying with domestic payment rails in different countries,” says Cavebring.

Griffiths believes that in the wake of a crisis that ramped up the adoption of these and other ‘contactless’. payments ‘businesses will need to adapt to this or risk being left behind’.

“Fintechs will seek to meet these needs and with that comes increasing demand for payment HSMs,” says Griffiths. “Again, a fully-managed service takes away the c ost and time associated with them.

“Running a successful business, now and in the future, will require a technology infrastructure based on Cloud foundations.”