Using APIs for payment: a trade-off between openness and security

The term API has become trendy, especially in the financial ecosystem; however, application programming interfaces are nothing new. A driving force behind financial technology (fintech) companies, APIs are at the heart of payment service providers’ digital transformation. In fact, APIs are more important due to their mission-critical role and their tendency to help businesses grow faster.

Do APIs control the world of payment?

The purpose of an API is to act as an interface between two applications while remaining transparent to end-users. An API allows two pieces of software to interact and exchange information.
Often compared to Legos, APIs use an architecture that increasingly relies on micro-services. This makes it possible to create new, more segmented applications, which are simpler to scale up and maintain. In the early stages, APIs require significant preparation and implementation but this work eventually pays dividends for businesses.

In the payment world, APIs now occupy centre stage, playing a key role in so-called Open banking. In fact, banks that are major players in the world of payment must now provide access to transactions conducted on their customers’ accounts.

Boosted by the enforcement of the European Payment Directive (PSD2), APIs are opening banking systems to the outside world by providing new services such as:

Providing central access to balances and banking operations;

Querying a customer’s bank to make a payment;

Allowing instant transfers.

APIs, a new strategic focus

PSD2 has transformed and opened up the world of banking, and APIs are the communication standard. APIs save businesses time when they bring a solution to market. Thanks to the newly defined API standard, any project that used to take several years to go into production now only takes a few months.

Open banking, which has emerged with PSD2, offers many advantages. For instance, a third party can now connect to a bank without having to develop a myriad number of systems to connect to a host of banks. PSD2 has thus helped to establish a single standardized system that allows access to information in all partner banks – a real gain in productivity and efficiency for third parties.

APIs have accelerated all the changes within the interconnected world. Moreover, PSD2 is forcing banking institutions to open up their IT systems. APIs are the main tactical tool of PSD2 for promoting trade and online payment. The European directive is indeed providing solutions to change the world of payment, notably with the explosion of marketplaces and banking monitoring services.

Along with APIs, a need for enhanced security

The hot topic of 2019 will inevitably be how APIs evolve in terms of security.

Because APIs are the key to ecommerce, they are especially vulnerable to internet piracy. Tackling rampant cybercrime is not easy. There is a trade-off between an open world, replete with APIs, and one bound by security. Using security by design is mandatory in the payment world. It would be too risky to implement an API without anticipating the security risks to IT architecture.

As we stated above, using APIs is a gain for business but strict security rules must be maintained to fight piracy at all levels of interaction. Another important concern is employee awareness; personnel should receive special training. After all, the weakest link in fighting cybercrime is often human.
Employee concerns aside, a business must provide for data encryption, restricted access, regular change of login information, etc. Though hackers pose less of a threat to today’s better protected IT systems, they can still pirate an API and impact the overall security chain.

Things to keep in mind

In conclusion, all companies should be adapting their IT to offer better and faster services. This goes especially for banking institutions who are most affected by PSD2. But considering the heavy security challenges facing companies at all levels, they must seek a trade-off. This calls for serious reflection on how to handle the data balancing act: IT operational security vs. the open availability of data.

About Grégory Boulanger

Expert in Information Systems architecture and management, Gregory Boulanger is R&D Product Manager at Limonetik. He started his career in 2010 as a Web developer and became trainer on web and mobile project design and computer science and advanced techniques in 2012. Before joining Limonetik in 2015 as a Product Owner, Gregory was Android application creator at KeepSmile and Digital Project Manager.

 About Limonetik

Limonetik is a payments aggregator whose services are dedicated to Acquirer, Gateways, Tier 1 marketplaces and international merchants. The company offers B2B & B2C personalized payments solutions ranging from processing to collecting of +125 payment methods worldwide, directly or in white label. Limonetik accompanies the international presence of its customers; especially regarding real-time local payments and for both digital commerce or in store via POS terminals. Limonetik is the guarantee of regulation compliance.