Cybersecurity of Payment and e-money Institutions: which challenges for 2018?

Published: 8 February 2018
Updated: 20 February 2018

Either the target is a SME, a bank,  a payment or e-money Institution, the possible cyber attacks are pretty much the same: Denial of Service (DDoS), intrusion attack, malicious software propagation…

In cybersecurity like in all other domains, the zero risk does not exist. Thus, the FinTech sector invests substantial energy, the first step towards safety being not to deny the risk and to accept its vulnerability.

Payment & e-money Institutions: more or less vulnerable than the major financial players?


FinTechs and major financial players all take very seriously the cybersecurity risks, as their executives are aware of the value of the data stored in their system.


Each actor being a potential target, in addition to protection against attacks that cannot be at 100%, the focus must be on the means of detection of attacks and the activity continuity plan.

However, some elements of difference between the Payment and e-money institutions and major financial players can be easily identified:

  1. Payment and e-money institutions are still small structures; however, traditionally, attacks focused on larger targets, with high image impact  or  fraud;
  2. They have built their services on new technologies, less prone to security vulnerabilities (like the cyber attack using Microsoft operating system vulnerabilities); they do not have to manage and maintain obsolete legacy, a source of greater vulnerability;
  3. In general, they rely on outsourced and managed outsourcing services of large size, which for years have built very strong protection and resilience capabilities. The cloud models have also proven for years their supremacy in the field of internal servers;
  4. on the other hand, the lower experience of these young companies and their limited human resources can undeniably expose them to certain attacks; this fragility is compensated by their great agility and reaction capacity.


Opening of informatic systems and instant payment in 2018: towards new risks?


2018 will be a rich year in terms of changes for the payment sector. The opening of informatic systems and the instant payments will bring their share of opportunities and adjustments for all the player of the ecosystem. The Application Programming Interface (API) does not constitute an innovation in itself for the FinTech sector, already largely built on this technology: they have been around for years and have already proven their value. They are also recommended by the European Commission, which in the RTS ( Regulatory Technical Standards) published end of November 2017, confirms that APIs are a technology to be preferred for interbank exchanges. On the other hand, it is the SaaS industry (Software as a Service, or installation of software on remote servers accessible by a web page and not on a machine), which is evolving via the announced opening of the computer systems.


Protocols and authentication techniques exist and are already been used by banks for their internal applications ( a mobile banking application thus operates to connect to the legacy for example). The authentication techniques of third parties also exist and are proven ( example: OAUTH2, allows to authorize a website or an application to use the API of another website or another application).


Consequently, all stakeholders have the tools to connect banks and new players efficiently and securely. It remains to be seen whether all will have the resources and the agility to take advantage of this evolution of the sector.


While the whole economy lives to the rhythm of the Internet and immediacy, it seems incongruous today to have to wait 24 or even 48 hours for a payment to be effective, while the payment stage itself (checkout), whether it takes place in a physical box or on a web page, only takes a few seconds. The debate around instant payment is the result of a desire to bring the sector to the rhythm of society. It constitutes a true clear evolution of this one. Since November 2017, some players like the Spanish bank Caixabank are already ready to use this new payment scheme launched by the EPC (European Payments Council). Gradually, all European actors should be able to operate as well.


In terms of security, instantaneity can be a challenge for some. Indeed, the management of payments “batch” brings the comfort of being able to block suspicious transactions before being executed. But then, remains the question of the duration of these checks. However, the current technologies (Machine Learning and real-time robo-advisors, in particular), allow to answer efficiently and quickly this problem. This is also the whole principle of APIs and instant payment: make possible the instantaneity of both execution and control of payments.


The issue of security is to be treated as any challenge of a company. No industry has ever developed to the detriment of security and especially the latter has never prevented innovation and support for changes in society. On the contrary, an insecure innovation will not be used and therefore will not add any value. But it is the rate of use and the level of profit that makes the success of an innovation.

2018 – A new world of possibilities for payments


This post is also available in: Français