Application program interfaces, or APIs, have been in use for decades and are present in any system where modern technology is used. The payments industry is no exception, and various fintechs and third-party providers are racing to offer solutions for financial institutions to integrate newer and better API platforms into their business model. The speed with which technology and the industry are advancing is unprecedented. How can corporates keep pace with the market and adopt an API-first approach in the payments space that will benefit both companies and their next generation of end-users?
To answer these questions and discuss other key issues concerning APIs, PaymentsJournal hosted a recent webinar titled APIs – Driving the Next Wave of Payments Innovation. In the webinar, expert speakers Soumya Johar, Director of Strategic Alliances and Partnerships at Opus Consulting Solutions; Karl Mattson, Chief Information Security Officer at Noname Security; Jordan Esbin, Head of API and Developer Experience Products at FIS; Gunnar Stoa, Distinguished Solution Engineer at Mulesoft; and Tim Sloane, VP of Payments Innovation at Mercator Advisory Group, offered additional insight into how to build and integrate effective APIs.
“Integration is the need of the hour”
The payments industry is in the midst of a massive transformation. On the front end, consumers expect more personal interactions, and on the back end, new alternative payment solutions are cropping up left and right—faster payments, cryptocurrencies, Venmo, just to name a few. Within financial institutions, business managers are responsible for finding solutions to every new problem, but they will often differentiate their efforts towards their specialized business areas. This inevitably creates data silos, where, for example, one person will be responsible for core banking, and another will be responsible for digital channels, and yet another for fraud prevention.
“What happened over time,” Sloane noted, “was that we saw a tremendous focus on doing data integration and analytics to be able to share data that originated in one of the silos with all the other silos that could benefit from having access to that data.” When data is easily shareable, businesses have a more complete picture of their operations, which leads to better strategy decisions. “What that doesn’t do,” Sloane qualified, “is take care of integrations that are necessary and critical for functions to be used across the silos.”
The solution? Centralized API management platforms, which will simplify integrations, improve data sharing, and better manage the connections businesses make with their partners. “With embedded finances,” Esbin added, “we see this as being highly verticalized.” Vertical integration leads to higher transparency and better outcomes for everyone. Esbin summarized how FIS sees five core foundational pieces of API innovation: security, data insights, simplicity, as-a-service, and integration flexibility.
One of the key problems with integrating APIs is that there are so many new options for companies to choose from. “They’re oftentimes very industry-specific,” said Stoa. Organizations naturally have a strong desire for effective solutions that can be executed at great speed. “It’s as easy as just saying yes to a web form or signing up for a new system,” Stoa continued. “But what has happened in doing so, is that we now actually see this proliferation of systems of data being created.” IT today spends 80% of its time integrating, not innovating, and traditional integration approaches can’t keep up. By rolling out new functionality fast, companies inadvertently create a requirement to leverage that information to integrate disparate systems together—particularly in a way that is reusable in the future.
APIs should be highly secure, regularized, and customer-centric
APIs were the target of 40% of all web attacks, according to Gartner research, and Gartner expects API attacks to compose the single greatest cyberattack type next year. “The API security posture itself, perhaps not surprisingly, sometimes lags behind our ability on the business and technology sides to adopt these technologies,” said Mattson. He outlined Noname’s four security protection principles: discover, analyze, remediate, test.
“An API security misconfiguration, if publicly exposed, may be a singular failure point that creates a significant downstream effect,” Mattson elaborated. If, for example, an API is developed for internal use and then years later exposed for public consumption, the API design expectations would not apply to the new paradigm and would both be ineffective in meeting the needs of the consumer and act as a direct line into data breaches.
In order to protect against attack vulnerabilities, Noname conducts regular analysis and testing of its APIs. “Most of us who have worked with APIs before probably have been accustomed to penetration testing APIs, which is fantastically effective,” said Mattson. “However, when we’re talking about an API footprint that may, in many organizations, come to thousands and even tens of thousands… manual testing efforts towards APIs become very difficult to scale.” As a result, Noname integrates with public cloud services to allow a vantage point into API traffic as it occurs, balanced with behavioral analysis alongside continuous and automatic analysis and detection, remediation, and testing. API security assessments should conform to the contours of the organization, rather than the organization having to conform to the contours of yet another tool.
The consumer, however, is ultimately the center of the payments universe. “As you start maturing in your API journey, you start to look at APIs like a product,” Johar emphasized. Consumers have more options than ever, between digital wallets, RTP (real-time payments), account-to-account transfers, contactless payments, and more. To meet the needs of the consumer, some structure governing API reusability will eventually push innovation and enable new services to be offered to clients. “Innovation and speed need to be balanced with all the strict regulations and laws both at a global and local level, while at the same time managing intricate relationships between the partners. Opus’ payments API orchestration framework—PaysembleTM, is our homegrown IP that can help clients accelerate their API-led transformation journey so they can be on the leading edge of innovation.” Johar explained.
APIs, properly utilized, can even be monetized—by consolidating and integrating data, leading to a better view of each customer and which holistic solutions will work for them. However, the future of APIs may look quite different depending on where you live. In the EU, payments are governed by PSD2 (Revised Payment Services Directive), which outlines rules for the purpose of integrating and protecting the European payments market. The U.S. has no such government mandate. “As a result,” said Sloane, “we’ve seen [U.S. financial institutions] driven by business opportunity… The U.S. has kind of taken the lead in innovation around API usage.” Johar added: “Europe is leading by five years as compared to the U.S. in terms of standardization, and the U.S. is leading by five years compared to Europe in terms of innovation.”
Learn more about how to approach APIs
In the recent webinar hosted by PaymentsJournal, Johar, Mattson, Esbin, Stoa, and Sloane discuss several additional nuances of API innovation, including:
- Decoupling complex legacy systems and new systems to create robust APIs.
- Opus and Mulesoft’s partnership around PaysembleTM APIs.
- How to decide which APIs to prioritize.
- How APIs yield speed and flexibility for next-gen payment platforms.