Considerations when choosing between Software as a Service(SaaS) or Software for Purchase (SFP)

Considerations when choosing between Software as a Service(SaaS) or Software for Purchase (SFP)

January 25, 2018 News 0

Abstract
Within the consumer driven, on-demand transformation occurring in financial services today, instant issuance has emerged as a key centerpiece to meet evolving customer preferences at the branch-level. The 21st century consumer wants a debit or credit card that does it all and can be inside their wallet within the span of a short visit to their financial institution. For banks and credit unions, implementing and delivering the “magic” of instant issuance to customers requires a number of considerations, with one area being particularly critical to their success: the ownership of the server that stores secure data and programs new cards. There are two main solution models to choose between in this regard – Software-as-a-Service (SaaS), where the data is maintained in a secure cloud-service offered by the instant issuance supplier, and Software for Purchase (SFP), in which the institution owns the server and software. This white paper from CPI Card Group® provides information and insights on the various factors to consider when assessing instant issuance via a SaaS platform vs. a purchased and custom-built SFP platform, and helps financial institutions to determine which model is the best fit for their organization.

The Magic Behind the Financial Institution
Branch transformation involves significant skill and what may appear to be magic at times. Financial institutions are required to implement technologies, with great finesse, to produce instantaneous services – digital, mobile, cloud service, and more. To cardholders, it can seem as if a wand is waved and these services magically appear, but to the financial institution, there is a myriad of solutions to navigate and options to consider in order to remain competitive while maintaining cost-efficiencies. Doing it all and meeting an ever-growing list of regulations can feel overwhelming.

There’s effort and a bit of magic behind the scenes going into the issuance of debit and credit cards – from sophisticated card body construction and design to magnetic stripes and chips with integrated circuits and RFID transmitters. Cards need to meet brand certification and durability standards and they need to be visually appealing to maintain top-of- wallet status. Financial institutions that are truly at the forefront of branch transformation are bringing in powerful resources to fulfill emerging expectations of cardholders, accommodating new, on-demand preferences, because today’s cardholders not only want a card that does it all – they want it instantly.

In the branch of the future, an instant issuance program is an easy fit that can make any bank or credit union appear magical. With the rise of encryption technology and relaxation of past embossing rules, financial institutions have realized that instant issuance is a way to position themselves as magicians offering working debit or credit cards from day one of account opening. However, building an instant issuance program from the ground up can seem like a daunting task, with questions that must be addressed right from the beginning.

Before getting to those questions, however, issuers must set some foundational standards for their program. The program they build should be customer-centric, reduce operational expenses, and as if by magic, begin generating revenue on day one. Once the vision for the program is established, there are deeper considerations to address.

How Do We Start?
The realization that instant issuance is a needed customer service offering is the true beginning, but once that’s understood, most teams start with vendor research. The temptation at this stage is to oversimplify by looking at the bottom line and eliminating potential suppliers based solely on cost. But cost is not the only decision point and not necessarily the most important.
In truth, there are many decisions to be made, some of which are more apparent than others. The need for in-branch card printers and printable cardstock are slightly more obvious factors, as is training for employees. Most teams enter the instant issuance discovery process with these areas primarily in mind.

One of the less obvious and often overlooked considerations in the initial review of instant issuance solutions is the ownership of the server, which stores secure data and programs the new cards. Ownership of the server is handled differently among the available solution models and is THE most important decision to make to truly support the foundation of the program. For financial institutions, there are two solution models to consider:

Software as a Service (SaaS)
an innovative technology where financial institutions choose a fully web-based solution. In the SaaS model, the software is hosted by the cloud-service supplier.

Software for Purchase (SFP)
which provides a secure server and software for purchase, outright. The software and the servers are owned and maintained by the financial institution.

So how do decision makers evaluate which of these solution models will work “like magic” for their institution? They must do a deeper dive into analyzing their current situation and needs. This white paper brings to the forefront provocative questions to consider, and provides background about important factors that come into play when deciding between instant issuance on a SaaS platform and instant issuance via a purchased and custom-built SFP platform.

Has the financial institution already completed EMV® certification?
For some banks and credit unions, an instant issuance solution can be absorbed into a larger EMV conversion project. Before a payment brand will allow an institution to begin printing EMV chip cards, financial institutions must successfully complete the EMV certification process. Through this process:

  • Institutions prove that they can print and encode cards correctly by sending printed sample cards to the payment brand for testing. For security reasons, test keys are used during this stage of the certification process.
  • Once the test cards pass the screening process, production key components are loaded onto the Hardware Security Module (HSM) in another key ceremony. A production test card is then sent to the payment brand for final certification.
  • After the final certification is received, cards can then be printed for cardholders using the institution’s production keys.

For a SFP instant issuance solution where an institution has never certified for EMV, all the steps in the EMV certification process are necessary before printing EMV cards. If an institution has achieved EMV certification for their centrally issued cards, the steps will need to be repeated a second time to accommodate the addition of the instant issuance server. Each time a new server is added, all specifications must be separately certified. SaaS instant issuance suppliers also need to extensively test the financial institution’s EMV chip set-up using test and production keys, but there are several factors that can simplify the overall certification process. The SaaS supplier may have implemented similar projects on their servers where settings could already be certified for specific chips aligned with the payment brands and processors. Checking with the instant issuance supplier in advance of the certification process may save a few steps.

Another short-cut to consider is working with a current card personalization vendor that also offers a SaaS instant issuance solution. One of the benefits of instant issuance as an “add-on” solution is that the vendor has already completed the card program certification for EMV. Not having to re-certify would save the institution in overall certification costs by eliminating key ceremonies and transfers; also, shortening the timeframe for project implementation.

Steps to Receive EMV Certification

  • Test Keys- created, securely transferred, loaded on server
  • Brand-specific EMV profile built (Debit, Credit, PIN only, PIN+ Signature, etc.)
  • Card created (for appropriate chip)
  • Send card with test keys to brand for testing and approval
  • Production Keys- created, securely transferred, loaded on server
  • Production card printed
  • Send production card for Certification/End-To-End-Testing
  • Receive production card approval
  • Financial institution can issue branded EMV secure cards

These steps are completed by the owner of the server. For SaaS instant-issuance solutions the vendor will complete, and in the case of an institution owned server, the institution owns this process.

Key implications compared:

Who is responsible for the keys?
Keys are key – the importance of the responsibilities around cryptographic keys cannot be overemphasized. All financial institutions that offer payment cards receive encrypted keys from their processor for their Bank Identification Numbers (BINs). These “production keys” must be server-accessible for each instant issuance installation, as they are accessed for every card printed and are used to calculate the correct values that appear on the card. One example of this is the CVV2 or security code that appears on the back of the card, with which a derived value is calculated with each print.

SaaS and SPF approach this area differently. Choosing between the two solution models predicts how the keys provided by the processor are duplicated onto instant issuance servers and dictates whether the keys will be the responsibility of the institution’s employees or the supplier.

In an SFP instant issuance solution, an institution purchases a HSM to store data securely and customizes the software for accessing the internal network for card printing. Key components must be securely received and downloaded by institution employees in a manner that is compliant with the Payment Card Industry Data Security Standard (PCI/ DSS) which stipulates a minimum of two employees must be designated as key custodians in order to receive separate key shipments. The keys are then typed into the secure HSM at different times and stored separately. The downloading is known as a “key ceremony”. For SFP solutions, all key control and responsibility lies squarely with the institution. All calculations using the keys occur within the confines of the institution’s network.

In a SaaS instant issuance solution, there is no purchase of an HSM or software; key management is handled by the supplier location who accepts the responsibility for security of the keys and software updates. Key components sent securely from processors are downloaded by experienced key custodian teams at the supplier who perform key ceremonies on a daily basis. Keys are then stored within facilities that meet all PCI/DSS for key control. As a card print is requested, an encrypted message travels via the internet to remote servers where the calculations are performed, and a secure print command is then sent out to branch printers.

What level of employee involvement is required?
For smaller banks and credit unions, the SaaS model can offer the same benefits as the SFP instant issuance solutions, only with fewer onboarding costs. The designation of key custodian represents just one of the employee assignments that are inherent in an SFP system. Another significant consideration is IT resources. One of the benefits of an internal server for instant issuance is that the financial institution has full control over the system. All of the IP addresses, networking decisions, firewall settings and communication protocols occur within the confines of the institution and are under the direct control of its IT staff. If there is a robust staff of IT professionals that can support the set-up, then full control can be a very attractive option.

When using a SaaS supplier, access to the service is gained using the internet. The SaaS supplier is then relied upon to direct the settings that will work best for accessing their servers and making branch printers receptive to remote print commands. Typical network installations can require Dynamic Host Configuration Protocol (DHCP) to ensure each printer is assigned a unique IP address, and a set of instructions for staff to access available internet ports. A reputable instant issuance supplier will assist staff to establish connectivity. For smaller banks and credit unions that have limited IT resources, using a SaaS solution can offer “plug-and-play” availability.

How many people need access to the instant issuance system?
There was a time when SFP instant issuance was the only option available and it was strictly a feature of large financial institutions. There was a fairly simple economic model; the costs (server, printer, cardstock, key management, HSM) had to be spread over hundreds of employees printing thousands of cards in order to make instant issuance financially viable. However, once the server is established, the institution owns the hardware and can grant access to as many users as needed. As the industry developed, the ownership of an HSM for institutions has not really changed – the costs are still relatively high in comparison to SaaS models and remain an option mostly afforded by larger banks and credit unions.

For smaller banks and credit unions, the SaaS model can offer the same benefits as the SFP instant issuance solutions, only with fewer onboarding costs. Whether the intent is to have instant issuance at one or at five hundred branches, a SaaS instant issuance program allows any number of users to log on and print cards, providing the supplier does not limit or charge for additional users.
How much time is available before the desired launch?

The last consideration concerns an element of timing. In many cases, a financial institution that commits to instant issuance has reached their decision in a rush of pressure, perhaps in response to a breach of client data or because competitors in the area begin to offer instant issuance. Issuers discover they are behind the curve and try to respond as quickly as possible. Many banks and credit unions find they need an instant issuance solution as of yesterday.

Regardless of such pressures, financial institutions still expect a measurable return on investment within a reasonable time. Instant issuance solutions document significant ROI and all suppliers are quick to highlight the savings experienced when cards are issued instantly – from implementation to mailing costs.

The day one interchange revenue experienced when cardholders immediately start using their cards upon opening a new account or in response to a breach makes instant issuance very attractive. However, as outlined previously, the capital investment can be quite different for SaaS vs. SFP.

If the goal is to start recouping some of those costs within the same fiscal year, then that should be communicated to prospective suppliers. In general, SFP packages will be custom-made to suit each institution, which takes time. Once hardware is purchased, software will be written on the new HSM after it is installed. Contrast that with SaaS solutions, where software is programmed and maintained by the supplier. Once a financial institution’s specifications are complete on the supplier’s servers, the printers are ready to install and use right away. Typically, the ramp-up of instant issuance tends to be much shorter for plug-and-play SaaS solutions.

Providing a magical and seamless experience
Audiences are too savvy to believe that magicians harness supernatural powers to saw their assistants in half, escape from chains, or to make a monument disappear. The audience understands it is an illusion, but it’s still satisfying to see it done well. The trick a magician has up his sleeve, and the audience doesn’t know, is the knowledge of the secret door, the well- placed mirror or the slight-of-hand.

When a cardholder loses their wallet, is affected by fraud, or opens a new account, a financial institution that can respond with a solution in minutes rather than days, may seem like a magician. Choosing the right instant issuance solution to perform the illusion doesn’t require supernatural powers, but rather a bit of knowledge surrounding the initial groundwork pertaining to the available models. Decision-makers tasked with finding the best fitting instant issuance system, whether it is SaaS or SFP, can appear to have a trick up their sleeve if they know how each solution model approaches the fundamentals of card issuance – and what the impact will be on financial, human and time resources.

The post Considerations when choosing between Software as a Service(SaaS) or Software for Purchase (SFP) appeared first on .

Leave a Reply