The future of payments in the cloud

The future of payments in the cloud
(Image credit: Shutterstock)

Almost without us being aware of it, the way we pay for day-to-day products and services has changed completely and it has become easy to go through life rarely needing to make a non-digital payment.

A typical city dweller might now travel to work in an Uber, buy a coffee using the Starbucks app, use Apple Pay to buy lunch and after-work drinks and then prepare a meal with ingredients delivered through a subscription service. Their payment card never needs to leave their pocket for credit card processing.

About the author

Andy Barratt, UK managing director at Coalfire.

These ‘frictionless’ experiences are what consumers of most ages and economic groups have come expect, and they’re becoming a key differentiator for those brands that have been able to move with the times and offer seamless digital payment.

Clouds on the horizon

The ongoing evolution in payment technology is big business, and the major tech players – Google, Apple, Facebook and Amazon – are starting to push the traditional banks out of the process. For any consumer-facing business wishing to offer customers a more seamless purchase experience, there’s a good chance one or more of these entities will actually be the ones delivering it.

If consumer brands are to harness the benefits of offering customers frictionless digital payment options, the big enabler will be cloud computing solutions – that is, services that are widely available to all over the internet, rather than bespoke builds commissioned by brands themselves.

However, the shift in mindset required to embrace the cloud and allow third-party providers to handle payment processes is actually proving to be a significant barrier to many businesses taking the next step – so it’s important for us to shatter a few myths that persist around the technology.

Myth one: Public clouds are insecure

One of the chief barriers to businesses choosing to adopt cloud payment platforms is a lingering perception that it is less secure than their own systems, particularly for those who don’t want to shell out for expensive IT infrastructure for a private cloud.

In fact, public cloud service providers’ entire business model depends on them offering the very best security. Done right, it is every bit as secure as virtually any in-house solution that would be affordable for most businesses.

Of course, the onus is still on the business using the platform to keep its own data safe, as would be the case if they were using a local server. If an employee has their login details phished and an intruder gets inside, there is still a risk of a data breach. Although, a public cloud provider is far more likely than the business is to have a framework of technology and procedures in place to investigate the incident and help with data recovery.

Myth two: Regulatory compliance is harder to manage in the cloud

Cloud services are not the solution to all brands’ data protection challenges but they can deliver impressive levels of transparency and are often specifically engineered to make regulatory compliance easy. Much like security, data privacy is all part of the service for hosting companies and there is very long and ever-expanding list of cloud services that have been given the blessing of the Payment Card Industry (PCI) Security Standards Council.

Again, what any given user does with their own data is often beyond the control of the cloud-service provider, so it is not possible for a company like Amazon Web Services (AWS), for example, to offer its customers a compliance panacea. However, what it can and does do is guarantee users that rigorous data-privacy policies are in place and give full disclosure on exactly where a brand’s data is stored at all times.

This should give businesses all the information they need to answer even the most challenging compliance questions.

Myth three: Buying cloud services means relinquishing control

In the end, a lot of the resistance to adopting cloud payment platforms boils down to a perceived loss of control. However, the growth in popularity of public cloud services means that the choice of suppliers and the kinds of services they offer has grown rapidly in recent years, handing control back to those using the services, who are now free to vote with their feet if any aspect of a service doesn’t meet their requirement.

The key for any brand looking to bring a cloud payment service into the mix is to be a discerning customer and to understand exactly what the agreement entails.

As with any outsourced relationship, the devil is in the detail. There is no substitute for carefully understanding the full breakdown of roles and responsibilities and scenario-planning to identify potential flaws in the workflow before a contract is signed.

Cloud providers should be happy to share a matrix breaking down how their partnerships work, making this process easier.

Changing expectations

As seamless payment systems grow in popularity among the most forward-looking companies and customer expectations around their payment journey evolves, brands that don’t join in stand to miss out on a fast-growing portion of consumer spend.

Of course, as the threat of cybercrime increases and regulations aimed at keeping customer data safe get tighter, it’s easy to understand the trepidation of some in adopting the public cloud services that will allow them to get a slice of the action.

Ultimately though, the misconceptions about cloud security will fall away for those with a thorough and accurate understanding of what it can offer. It’s these firms that will win the race to offer customers the very best payment experience.

Andy Barratt

Andy Barratt is the UK managing director at Coalfire, an international cyber security agency.

Andy has almost 20 years’ experience working in IT infrastructure, information security and assurance services. He is among the most experienced PCI DSS QSAs in Europe and leads the global delivery of application security and whitepaper technical validation services.

He is actively involved in supporting security and the alphabet soup of compliance (ISO,DPA, PCI, GDPR, FCA) with a number of technology companies, software suppliers, payment processors, acquiring banks, insurance underwriters and other complex service providers. He has sector experience in financial services, oil and gas, retail, software, cloud and technology.