Can the local IT industry help with digital payment security?

Last week, this column took up the question of digital payment security from a banking viewpoint in the wake of the central bank’s specific guidelines on digital payment security which were issued November 28. This piece will seek to answer whether the local IT industry is ready to help secure the banking system’s payment security needs.

There are concerns that foreign IT firms and payment schemes may get most of the new business. Shehryar Hydri, Secretary-General (SG), Pakistan Software Houses Association (P@SHA) told BR Research that every successful ecosystem has to have a mix of local and foreign players and that’s largely the case for Pakistan as well.

“Local security firms and systems integrators will always be a part of the equation as the top brands need local partners. Most of the solutions will be imported but implemented with local teams. This will be a good opportunity for them to develop their own products and solutions that they can then pitch in the region,” Shehryar said.

In the end, the argument for exclusively buying Pakistani IT products and services may not hold water for banks which are now looking for foolproof assurances on digital security. Qasif Shahid, CEO and founder of Finja, a Fintech startup told BR Research that “It is advisable to explore required skill-set, especially when it comes to data security. And for that, if a bank feels that an external review or vulnerability assessment needs to be carried out, then it should be preferred.”

Among the directives issued by the SBP, there is an immediate one that requires the banks to undertake “extensive vulnerability assessment and penetration testing” across their payment channels, through internal as well as external reviews.

Banking veteran and digital payments expert S.M. Arif told BR Research that there aren’t such local entities that can do end-to-end exercise in those two areas, though some can do a fairly good job in the area of ‘network assessment’. “The payment space has very limited practitioners, mostly engaged with different institutions. Both areas require a blend of consulting exposure and practitioners’ experience. But it can be achieved through cross-sectional teams, just like war-gaming exercise or peer reviews, thereby gaining experience and fixing experience from cross-learning.”

There are concerns in the local IT industry that in some cases the SBP indirectly encourages banks to develop their own IT infrastructure instead of allowing the banks to use third-party technology providers. Shehryar from P@SHA also feels that the regulatory regime is generally conservative about using on-premise hosting and avoiding cloud for financial data.

“This is a tricky path as the world is moving towards the cloud and some segments in our industry and government are considering a locally-hosted cloud within Pakistan. The large cloud players will never open data centres here and the local ones will be prone to arm twisting by the authorities. So, it is a complex problem for now,” he cautioned.

Then there is also the issue of the absence of a viable local payment scheme. Qasif from Finja feels that a major reason behind that is a global acceptance that Visa and MasterCard have compared to local schemes. “Visa and Master are able to match customer’s need and they also have a brand impact. Yet, PayPak with the support of SBP has launched and has started to gain traction.”

Shehryar attributes the absence of a viable local payment scheme to a mix of unsupportive policy and guidelines as well as some of the key parts missing from the equation.

“Despite the high license costs and inaccessible data, API’s etc., Fintech’s as well as larger players are still trying to break through in this massive market. The ideal scheme is one where we have a local and international provider like PayPal. But I think we may see a bit of fragmentation as companies and the SBP try to do small experiments with local networks like PayPak,” noted Shehryar.

After the SBP’s directive, there are fears that the rules will affect the payment digitization process at the banks internally – something which the local IT industry would directly feel. But still, the verdict seems to be in favour of strong regulations on digital payment security, owing to sustainability issues.

“Most of the new rules are risk-averse and may significantly slow down the digital payments process. However, from a regulatory viewpoint, it is stringently prudent passing on the entire responsibility onto financial institutions. In our view, a better approach would be for the industry and the stakeholders to get together to promote innovation in data/information security before implementing such regulations,” said Qasif.

Shehryar said the new rules may slow things down in the short-run (3-6 months) but it would be helpful in the long-run to have a more secure ecosystem.

“The trick is in balancing the rules so that you don’t over-regulate the fledgeling digital payments and Fintech sectors and still maintain a safe environment. The digitization has to happen, one way or another. But it depends on which path we choose to take and how risky that path is. Historically, we’ve been on the conservative side – banning crypto-currencies is one example,” he explained.

To get local IT firms more local business, P@SHA has to play its role. The P@SHA SG said that they are already working with a select few banks that are serious about their digital transformation by connecting them to relevant vendors and helping them discover upcoming small startups that may not be well-known but usually have very interesting products.

“Besides security, there is a lot of work that small teams are now doing in Data Analytics, Artificial Intelligence, Blockchain, etc. Banks are now open to partnering with these cutting-edge teams in addition to the well-established partners that they’ve always had,” he said.

Copyright Business Recorder, 2018