Open development techniques have contributed to a boom in online and mobile commerce by making it possible for more applications to interact with one another, but now more attention is being devoted to how fraudsters exploit these systems at merchants, payment companies and card issuers.
"These new attacks are very innovative and require quickness," said Steve Platt, global executive vice president of fraud and identity for Experian.
One way to respond to fraudsters with speed and flexibility is to use an application programming interface (API), or a set of technology tools that allow other developers to quickly add new functions, according to Platt. In Experian's case, the API is part of CrossCore, a new service introduced on June 1 that uses a single access point to integrate technology from different providers to address different dangers.
Experian has partnered with third parties such as Acxiom, which manages identity risk; TeleSign, a company that manages two factor authentication; and other partners, Platt said. Many of Experian's clients have security partnerships that can also make use of the API for easier integration with systems that handle payments processing or card issuance.
"For a credit card, the origination system, fraud, 'know your customer,' decisioning and fulfillment are all handled with a single sign on that can be modified based on threats and regulatory changes," Platt said. "There's no single place to find all of these and we don't pretend to solve every fraud problem."
Experian's fees for CrossCore are based on usage, similar to a Software as a Service model. The API is designed to avoid long-term IT projects that combine disparate systems to manage security risks for financial services. In payments, this would include tasks such as mobile and online security, fraud monitoring, money laundering rules compliance and identity protection.
"Organizations have done this by pulling together different systems and do all of the coding to build an enterprise fraud platform," Platt said. "The API can support protocols to communicate, so the company doesn't have to recode applications."
The high profile data breaches over the past couple of years, starting with the large 2013 breach at Target but hardly limited to that retailer, have heightened awareness of not only security, but how diverse and fast-moving the risk is, according to Platt.
Other industry experts have weighed in on the need for companies to beef up security as transaction access points expand to include a higher volume of smartphone payments, as well as payments executed by Internet-connected devices such as smartwatches and high-tech refrigerators.
APIs and software development kits have made substantial contribution for online merchants that use the tools to quickly add a payments interface, and have led to successful business models for companies like Stripe and WePay.
But the use is starting to spread beyond adding checkout pages for e-commerce sites, and can include broader merchant services and business application integrations for retailers and payment companies. .
The typical technology stack is very "hybrid" in nature with different systems interacting with each other as updates are made over time. That contributes to complexity and tough integrations to accommodate advancements such as mobile transactions and the corresponding security risk, according to David Albertazzi, a senior analyst at Aite.
"Now, with the importance of real time transactions there's a need for real time communication and a lot of institutions are opting for APIs," Albertazzi said.
Open development can also be particularly helpful for issuers that want to maintain control over the user experience for multi channel transactions, but do not want to build new platforms or security systems from scratch, Albertazzi said. "This new environment has to be secure, but it has to be built fast."