Protectoria: Secure digital communication on the mobile platform – Trond Lemberg
Keeping mobile banking and payments secure has been the talk of the industry for years, and with the passing of the European Union's Directive on Payment Services (PSD), financial institutions are held even more liable when breaches occur. Protectoria CEO Trond Lemberg discusses this new frontier in banking cybersecurity and how his company's mobile app can help create secure, open and usable digital communication.
Payments are getting faster. With mobile banking and the advent of mobile transactions, from Apple's iPay to Samsung Pay, customers can spend on-the-go faster than ever before. But as money transfers get even quicker and can happen on more devices, clients leave themselves increasingly vulnerable to hackers and data breaches across multiple platforms.
"Mobile banking requires mobile security solutions and raising the requirements of the user journey," says Trond Lemberg, CEO of Protectoria, a provider of solutions for secure authentications, transactions and email.
Protectoria was founded in 2005 by Lemberg, then a serial entrepreneur with over 20 years experience working in the security market. Supplying a range of different solutions to protect banking clients' transactions, the company's main contribution to financial security is the mobile phone secure application layer: a single smartphone app delivering what Lemberg argues is convenient, compliant and hassle-free transaction security and authentication protections.
"Imagine that you can take 100% advantage of all the emerging mobile payment business opportunities in the market," he says. "Customers can experience the good feeling of continuously being in 100% end-to-end control over mobile payment transactions, now and in the future."
The inner workings
It works with any user in possession of a compatible device, and is self-contained, adaptive relative to threat levels, as well as being resistant to tampering. The Protectoria Secure Mobile Platform offers a transparent, cryptographical solution for transaction security; it also includes a unique invisible watermarking of displays. It protects all information between what a payment transaction server generates, and what the end user actually sees and authorises.
"We became interested in the mobile banking and the mobile payment industry because we see that the payments need to have a higher security level than most of the market offers today," says Lemberg. "Generally, there are weak front-end security mechanisms for payments today, but there are often very good back-end mitigation tools, that can be used by current service providers.
"It's a single-device security mechanism - that's the easiest way to think about our technology; there are no extras on the mobile; it is all completely protected within our own application security level."
According to the directive
The European Union's Directive on Payment Services (PSD) is having a major impact on how Protectoria does its work and is a major pull for clients - the company has recently taken steps to provide compliant transaction security solutions to align with the new rules. The PSD provides the legal foundation for the creation of a single market for payments across the EU, creating a fixed set of rules that apply to all services across the region.
"As an independent security vendor of software, we see this as a good opportunity to provide novel patent-pending mechanisms," he says. "We make it possible, in a very user-friendly way, to meet the new compliance criteria that regulatory bodies now enforce on the industry."
First outlined by the European Commission in 2013, the PSD proposals were designed to deal with the dynamics of how payments are changing: businesses increasingly let clients access all kinds of accounts, from credit cards to current and savings, on a single aggregated online portal. Under the new rules, businesses that look after and host the client's information (usually a bank or a credit institution), must provide these third parties access to their customers' information, provided they have given their explicit consent, of course. Banks, then, are prohibited from placing restrictions on third-party account information access, and from adding extra charges for third-party charges or treating them as a lower priority - all payments are created equal, in other words.
Access in the right areas
This also ties into other things going on in digital banking. Increasingly, the bundle between bank accounts and payments are being split up, giving third-party payment service providers legal access to customers' accounts.
"So that's opening up for much more competition in the payment market," says Lemberg, arguing that the new rules also apply across borders the EU shares with non-EU nations.
In essence, the PSD represents a shifting of responsibilities, and what interests Protectoria's work in particular is the liability shift included in the directive: if a risk and payment service provider doesn't fulfil the strict authentication requirement now expected of them, they are entirely responsible for the security of the transfer.
"This is all about taking a new role," says Lemberg. "With a new liability shift/security regime of payments in competition with other providers and even a possible competing model operated by the customer themselves."
The perfect policy
The new rules also bring in a new degree of transparency. The customers and the banks they work with are entitled under the new rules to receive information from their payment service providers about the charges being placed on their transfers.
Another key trend is cross-border instant payments, where a banking client can forward a payment to any party within the European Union and assume that it will be delivered within seconds, as opposed to several hours or days. This is great for customers - payments can be much quicker, but it can make them more vulnerable. The industry, then, needs newer, more efficient security mechanisms in the front end so that payments can be processed more efficiently and deliver on schedule as quickly as possible.
So where does Protectoria come into all this? Lemberg says his job is to help traditional and new payment service providers (PSPs) to control risk and generate new streams from payments once this shift to new PSPs takes place.
"Merchants can now step up and be the PSP," he says. "So we help clients get secure deliveries and help parties that want to meet that directive.
Also crucial to Protectoria's work is helping banks keep up-to-date with these developments and making sure that the company is listening to the security challenges their customers are increasingly facing, and Lemberg argues that those that don't stay on top of things risk being left by the wayside.
"Banks with a modern and innovative view on business, with a cost-effective setup and a reasonable risk appetite may be relevant, will have a good winning over the competition," says Lemberg. "Old dinosaurs with limited culture of thinking outside the box will face huge problems, being forced into being just a utility service for other payment service providers."
The most interesting aspect of this shift in liability, according to Lemberg, is that more merchants will be able to be in full control over the value chain of their payments, and the purchase experience, including payments, will be totally controlled by the merchant themselves.
"It's possible for merchants to streamline the purchase experience 100%," he says. "And that also includes a loyalty programme and so forth, which is often a pain in current schemes. But here is where the new big opportunity lays for merchants' banks of fitting perfectly into a joint operation the merchants-based PSP. This, by delivering the bank's core business of reducing complexity based on the new payment trends, opens up the bank's landing space of the new direct debit e-mandates and generally reduces the operational and financial risks from the shoulders of merchants-based PSP.
Sign right here
Many of Protectoria's key customers at the moment also want to introduce digital signatures as the go-to security mechanism of the emandate direct debit scheme, now a prominent customer prospect Lemberg is working on.
"This is because the direct debit competes very efficient with credit card payments," argues Lemberg. "Credit card payments for merchants are very expensive today, and there will be more efficient and cheaper ways of producing payments after the implementation of the directive."
The world of banking and finance is now fully digital, and this means that, as systems are increasingly vulnerable to intrusion and payments take place over increasing numbers of platforms, providers are under more pressure by authorities to adopt stringent measures to protect their customers.
"Being a solution provider for secure authentication and authorisation for banks forces us to listen to the needs of the banks and their clients," says Lemberg. "We have developed our solution to embrace the need for usability, mobility, availability and an optimised customer experience."