Have smartcards had their day? Exploring alternatives for secure Bacs payments
Liz Carroll, Senior Product Manager, Financial Marketplaces at Finastra
Smartcards, embedded with integrated chips to store digital certificate data, are widely used in corporate payments for their security, convenience, and efficiency. The UK’s Bacs payment system has used smartcards to facilitate corporate access since the switch to Bacstel-IP in 2003. While smartcards offer great security, they can sometimes feel quite outdated and clunky in this era of streamlined technology.
As we’ve moved into a hybrid working environment, using smartcards has become challenging due to the need to manually authorise transactions. Here’s where flexibility has become the biggest driver for technological innovation.
While smartcards have served businesses well with robust security, their limitations in flexibility are becoming increasingly incompatible with the evolving demands of today’s digital landscape.
Smartcards require specific hardware and software, making integration with existing systems and adaptation to new technologies challenging. This rigidity has become a significant challenge in an era where seamless integration and adaptability are paramount for efficient business operations. As companies increasingly demand scalable and future-proof solutions, the need for alternative and modern methods has never been more pressing.
What’s the alternative?
For those seeking increased flexibility, a Hardware Security Module (HSM) could be a good option. HSMs are used to secure a multitude of financial applications around the world, ranging from ATM and Point of Sale networks to inter-bank funds transfer and share-dealing systems. In practice, a certificate stored on a HSM can be used instead of a smartcard to automate the process of signing files and submitting them to Bacs, as well as retrieving reports from Bacs.
HSM devices are secure modules that have been approved by Bacs; they store and manage Public Key Infrastructure (PKI) certificates rather than the certificates needing to be stored on smartcards. HSMs mean no more smartcards (except optionally for backup purposes) while still being able to maintain the required level of security. There is added flexibility as a business is not tied to a particular operating system or browser, juggling different software for different banks, or having to remember to transport the smartcard and reader around.
How this works in practice
Once the decision is made to switch from smartcards, the next consideration is whether to set your Service User Numbers (SUNs) for indirect Bacs connectivity, or continue with direct methods. Direct connectivity involves using the SUN to connect to Bacs, while indirect connectivity uses a Bureau User Number (BUN). A BUN can be managed in-house or a Bacs bureau can be used to facilitate connectivity. Each approach has its benefits.
With direct connectivity or when using an in-house BUN, users need their own HSM certificate, which incurs financial costs from the bank. Additionally, automation is required to use these HSM certificates for signing data and connecting to Bacs. If the Bacs supplier has provided an on-premise solution, users also need HSM devices, leading to technical complexities and ongoing maintenance costs. For large submitters, these factors may not be significant, but for smaller submitters, they could pose financial or resource challenges.
With a bureau’s BUN, the bureau covers the cost of HSMs and certificates, so it’s important to ensure they have strong disaster recovery measures, like dual power supplies and multiple data centres. Indirect submission provides access to the bureau’s disaster recovery facilities, along with flexibility in authorising submissions. Depending on company size, a smart approach might be a hybrid solution, maintaining the SUN directly while also linking to a bureau’s BUN, allowing for the use of the bureau’s BUN as standard, with smartcards as backup if there are issues with the HSM certificate, BUN or bureau
Ensuring security during infrastructure changes
Maintaining the same level of security is crucial when implementing technological changes. To achieve a comparable level of security to that provided by smartcards, Single Sign-On (SSO) or Multi-Factor Authentication (MFA) should be considered. SSO enables organisations to manage security profiles centrally, while MFA adds an extra layer of protection by requiring multiple forms of verification beyond just a password. Integrating an industry-recognised authenticator is an excellent way to incorporate MFA.
Is this the end of smartcards?
While smartcards have served businesses well with robust security, their limitations in flexibility are becoming increasingly incompatible with the evolving demands of today’s digital landscape. The integration of HSMs presents a strong alternative, offering not only enhanced flexibility but also maintaining the high security standards businesses require.
Moving forward, organisations must evaluate their infrastructure needs and choose solutions that not only meet current demands but also future proof operations against technological advancements. The future of secure, frictionless Bacs payments lies in embracing adaptable, scalable solutions like HSMs, ensuring that as technology advances, businesses remain at the forefront of innovation without compromising security.