How Fintech Startups Can Secure Their Payment Systems

Startup success is never a foregone conclusion – with a current 90% failure rate it’s actually quite the opposite, despite all of those magical projections shown in every founder’s fundraising deck. In the world of financial services, though, there are certain things you simply must do just to get out of the starting gates and even have a puncher’s chance of being in that 10%. Because when it comes to money, data security and privacy can’t be compromised.

Financial technology startups, at their core, are data management companies. Without the confidence of their institutional partners and customers who are entrusting them with enormous amounts of sensitive data, success will always remain a pipe dream. 76% of Americans say they have more trust in financial companies when they convey their privacy practices. Execution-wise, the cognitive load that comes with any actual or perceived vulnerability to payment systems can be detrimental.

Fintech applications and digital payments are increasingly becoming a core part of our day-to-day lives, having hit 88% penetration amongst US consumers with the average US millennial using 4.3 fintech apps. And trust is the center pillar that holds it all together – any loss of trust can immediately put the company’s viability into question. But solving for data security doesn’t have to be complicated, it just has to be intentional.

Here are the four most important steps that every startup should be taking to secure their payment systems and unlock the value of their data.

Only Collect Essential Information

The first thing any organization should do is audit their existing or proposed data collection protocols to ensure that they are only collecting strictly necessary information when onboarding new users or completing transactions. The primary purpose for this is to mitigate the potential damage of a breach. But, as an added perk, limiting data collection also minimizes the risk of internal data sprawl. This can accelerate your compliance efforts, too.

To that end, it is worth noting that both the General Data Protection Regulation and an increasing number of US state legislations now require organizations to minimize the personal data that they hold to only those necessary for the business purpose.

Ensure Data Security Both In-Transit and At-Rest

Wherever the source and whatever the purpose, you must ensure that the customer and business data you do collect is secure both in motion and at rest. And this is not just a matter of best practice – fintechs run the risk of losing or failing to secure the critical partnerships with financial institutions that are the underpinning of their entire business if their data security practices are not up to snuff.

The Federal Reserve, Federal Deposit Insurance Corporation and Office of the Comptroller of the Currency have recently named data security as a major potential risk area banks must evaluate when entering into partnerships with third-parties, including fintechs who essentially operate as a switchboard of information between consumers, businesses and financial institutions. An intentional and proactive approach here, early on, can dramatically change the trajectory of the startup and solidify the overall success of the partnership.

All sensitive data being transferred over a network should be authenticated and encrypted with SSL/TLS. When the data is at rest, or stored, data should be encrypted with proven standards such as AES-256. Stored data is still the main target of hackers who can often break into databases and remove information without the system owner even knowing they’ve been compromised.

Consider Leveraging Tokenization

Tokenization has long been the gold standard for storing payment card numbers. But fintechs often hold personal information that are just as sensitive in their payment systems, such as social security numbers and dates of birth.

By combining encryption and tokenization, which swaps raw data for a string that cannot be reverted to the original, organizations can render at-rest data virtually impossible for hackers to access without giving up any usability of it.

Build Redundancies

Lastly, fintechs must build redundancies to protect against unintended or accidental loss of important personal and business data. Relying on a single bank or processor partner for all payment data processing and storage needs is highly risky from a business continuity perspective.

Building an in-house system that is fully redundant requires a major upfront investment and carries significant direct and indirect costs in perpetuity of the business. There are pros and cons, but fintechs shouldn’t shy away from considering third-party hosting solutions especially to decrease time to market.

Look Externally for Speed

While building and maintaining a secure payment system is both costly and time-consuming, there is no getting around it for most fintechs. Any business that deals with accepting, processing, or storing payment cards, especially online, is subject to the Payment Card Industry Data Security Standard, which sets stringent requirements on how payment systems should be built and maintained. Failure to secure cardholder data within a payment system can lead to serious consequences, including fines up to $500,000 per month, suspensions, additional audits, or even bans on payment processing.

And PCI-DSS violations are only the tip of the iceberg. Average data breach costs for businesses in the US were just around $10 million as of 2022.

Most startups do not have the time or resources to adequately protect themselves against these liabilities purely by internal processes or system build. Even enterprises leverage a meaningful level of external data security tools and platforms to complement their internal expertise. For startups, it is even more important to consider external options that can give an immediate boost to the security of their payment system – and pick the right partner to add to the stack.

Platform Benefits

By leveraging a third-party solution a startup is able to meaningfully reduce their risk and liability with speed and ease, if done correctly. Many platforms today can get you up and running in a matter of days. There is also something to be said about the core competencies of compliance-focused security platforms and their ability to quickly adapt to the constantly evolving regulatory landscape and proliferation of local privacy regimes.

Buying Criteria

When evaluating different providers, there are three key elements to consider:

1. Point solutions for a specific requirement versus end-to-end platforms that enable future flexibility across data types, use cases and regions
2. Developer-friendly integration options with comprehensive and robust SDKs and tooling such that it feels like a natural extension of your existing resources and doesn’t require your engineers to become compliance or security experts
3. Full control over the data for both internal workflows and external sharing to avoid vendor lock-in while maintaining all of the benefits as if the data was residing on-premise

Startups are incredibly difficult, the multi-party payment ecosystem is highly complex and a tsunami of increased regulatory pressure and enforcement is coming – be prepared and get ready. Do not blindly start building internal systems that meet current requirements but lack future flexibility for your product and business. Achieving redundant and secure payment environments can be surprisingly quick and affordable with the right mindset. The topic du jour for the past 10-15 years has been the unbundling of financial services but I am particularly excited about the next 10-15 years and the innovation that will come from rebundling these various products and services into unique customer experiences for all demographics.