Combining innovation and security in payments tech

There's no trade-off.

Technical

Written by Mustafa Kasmani
27 July 2020


Stereotypes can be persistent and pervasive. They can also be wrong. Take security vs. innovation. Sterotypically, security avoids risk while innovation embraces it, so surely the two are mutually exclusive, right? Wrong, says Mustafa Kasmani, a Senior Security Specialist. Here, he argues that Access Worldpay's experience demonstrates that it's not only possible, but necessary, for them both to work together.

Since Worldpay from FIS is not a security company but a payments company, security is simply a means to an end - it's how we keep our data, systems and processes safe. This involves a balance. After all, a system that's doing nothing, connected to nothing is entirely secure. For a payments company, it's also entirely useless. That system can't connect your customers with merchants with acquirers and banks and other financial institutions to process the billions of dollars that flow through its systems each year.

Therefore, we need to be connected; equally, however, all those merchants, banks, acquirers and others must trust our systems to keep their dollars completely secure if they're to let them flow through those systems at all. There's the balance: between investing resources in security and investing in new, innovative, revenue-generating services that add value to our customers.

Redefining the relationship

But if there's a balance to be struck, surely there must also be trade-offs? Wrong again. It depends on how you treat security within software development. Traditionally, the relationship between them could be confined to as little as the annual PCI penetration test. Too often, this requires all other product work to be put on hold for months in order to focus on fixing the issues raised by the test and to collect evidence for the auditors.

However, Access Worldpay operates an Agile approach to development, running multiple squads that bring new releases to market in ever-shorter time frames. Quite clearly, this methodology wouldn't work with the traditional approach to security concerns - another way was needed.

Quality includes security

The solution was a natural corollary of Access Worldpay's core ethos: to be innovative but always, relentlessly, focused on quality. We treat service quality as a first-class citizen that's fully equal to product requirements. In the payments business, service quality necessarily includes security. Therefore, security concerns cannot be addressed solely as an afterthought, when we're close to release, but as an integral part of a product's design and development from its earliest stages.

As a lead member of the Application Security team, I've been closely involved with this process and have seen exactly how Access Worldpay marries innovation and security. And it starts at the top, with leadership buy-in.

Engaging the leadership

Whenever there's a bunch of urgent things to sort out before a given deadline, security matters can take a back seat - unless leadership is fully engaged. Access Worldpay's leadership team meets the three security teams covering Application Security, Cloud Security and PCI compliance every fortnight to discuss progress and forthcoming projects. They also make a point of meeting senior security leaders in FIS whenever they visit from the US. Demonstrating new work and discussing key challenges like this keeps everybody informed. More importantly, from my perspective, it simultaneously advances the security agenda and improves Access Worldpay's suite of products overall.

Finally, as evidenced by our adoption of new tools to scan software and containers, leadership buy-in brings action. A decision to support a proposal from the security team permeates through the rest of the Tribe and helps promote its uptake among the relevant engineering teams. It also reinforces our culture of wanting to get things right first time and the importance of embracing partnerships and avoiding silos.

Finding Security Champions

However, our central partnership is with the engineers themselves. This has helped us to create sufficient trust for the entire Tribe to fully understand the importance of secure design and coding. We reinforce this through practical measures such as training, threat modelling and extensive testing - dynamic system testing, cloud security testing, penetration testing and many more besides.

Our Security Champions Programme helps, too. In this, we identify engineers who are passionate about security and help them to become advocates for security initiatives within their teams. The Programme also establishes a point of contact between each development team and the central Application Security team, making it easier and faster to identify and address concerns before they become problematic.

What have these partnerships delivered? An environment in which security issues are addressed whenever and wherever they are discovered. This can happen within design reviews, during development, threat modelling, production container and cloud scanning, or through automated security scanning within the build pipeline when initiating a pull request. Given the challenge of securing a huge number of different applications within an Agile delivery framework, this ability to embed security considerations and improvements is nothing less than mission-critical.

Asking new questions

Part of Access Worldpay's original remit was always to take a fresh perspective and ask different questions in order to create a new way of working - one which rigorously concentrates on service quality. In this same spirit, we should perhaps move beyond the old stereotype that questions whether innovation is compatible with security. Instead, I would suggest that it's far more useful to ask whether success can happen at all without the two working hand-in-hand. That's because Access Worldpay's experience suggests that not only is it possible to combine innovation and security, it's necessary, too.