The Executive Interview Series provides readers with exclusive insights from movers and shakers in the payments industry. The Payments Industry is under continuous transformation, as such this series provides diverse perspectives on everything from strategy to payments technology and to the future of the industry.
In this interview, TSG’s Consulting team-member Zach Spellman sat down with TSG’s Senior Associate Cliff Gray to address areas of his expertise in payments and where he sees the industry heading.
Background: Cliff Gray is an expert in electronic payment systems, transaction processing, and the acquiring space. He is a leading authority on large-scale, high-performance payment system design, including network infrastructure, platform and software architecture, system security, and industry compliance.
Cliff was an industry leader in establishing payment integration programs for Envoy/First Data, developing technical and business relationships with providers such as Verifone, Micros, NCR, and IBM. As the internet revolutionized payments, Cliff provided payment architecture insight to new eCommerce ecosystems, as well as payment networks retooling to a quantum leap in transport capabilities.
Q: TSG’s Zach Spellman
Tell me more about your background and some of your prior roles and experiences in the payments industry.
A: Cliff Gray
My career in payments began at Envoy Corporation by exposing payment functionality to third-party integrators as a new business model. Following that role, I remained close to the mechanics of payments as I transitioned into a product and business development role with First Data, then as a payment architect for ClearCommerce during the eCommerce boom. This work has proved foundational in my current roles working with development communities, networks and financial institutions as APIs have become ubiquitous in how payment players interact.Throughout my career, a rare constant has been the wild-west nature of the industry, the constant change in technologies, threats, and even the data itself. As such, my engineering background and pragmatic nature has proved to be a good fit for this industry.
Q: TSG’s Zach Spellman
You have played a significant role in the evolution of electronic payments in the eCommerce space. What were some of the more challenging barriers you had to overcome in your career to help drive innovation for online payment acceptance?
A: Cliff Gray
Far and away, the greatest challenge has been getting the legacy payments infrastructure (processors and protocols) to work in the cloud. Understandably so, an established industry that had long been managing high risk behavior and highly sensitive data was being asked to embrace communication methods that were insecure by design, and measurably less reliable than existing infrastructure. After remaining a decade or more behind most other industries when it came to integrating internet protocols (TCP/IP v. X.25) and modern commerce constructs, a new generation of developers and mobile platforms have emerged at the heart of pushing leading industry players to catch up.Payment-data security has of course remained a challenge throughout my career. When faced with the reality of a growing list of security threats, one resolution is making real headway in the payments ecosystem by rendering data harmless while in-house rather than having to trust third parties to secure it. Instead of trusting merchants and their technology providers to behave securely, processes such as tokenization, hardware encryption, the PCI DSS, and financial-industry policies have produced whole marketplaces of products and services that keep any/all dangerous data out of the merchant’s hands.
Q: TSG’s Zach Spellman
There have been a lot of discussions on cryptocurrencies and their influence in the payments industry in recent years. Do you see cryptocurrencies playing a more prominent role in payments in the next five to ten years, or will they be hindered by too many overarching barriers for mass public adoption and real-world use?
A: Cliff Gray
I believe the future lies in blockchain technology more so than a given coin. One day, some coin (likely not Bitcoin) will wed the right business model to the right blockchain which will truly threaten the status quo of open loop brands and the interchange model. For real-time payments, those are real challenges that will take some real time to achieve. A highly tuned blockchain that can reliably support sub-second response times is likely years away but could emerge sooner than decentralized finance can overcome the monolithic issuing/acquiring ecosystem. Regardless, the cryptocurrency industry will have removed much of the friction in spending and sending coins by then, but whether that factor alone proves enough to drive significant usage remains to be seen.In B2B and other markets not requiring real-time authentication/authorization, cryptocurrencies like Cardano (ADA) and modern protocols like ISO 20022 are already gaining traction especially in foreign exchange scenarios where traditional fiat exchange rates cannot compete with borderless cryptocurrency. What the payments industry needs to realize is that their biggest dismissal of crypto-based transactions is moot for vast segments of eCommerce. For example, a local shoe store needs instant authorization when a customer is standing in front of their register, however an online retailer only needs authorization before the delivery is sent out.
Blockchain technology is certainly expected to be implemented in manners other than payment transactions. For instance, blockchains track a currency’s history for its entire lifespan just as they track identities, a powerful new way to enhance traditional underwriting and fraud control models. Already a proven model for contract authentication, it is reasonable to expect blockchain technology to be implemented in similar ways like securing and automating merchant agreements and related onboarding flows.
Q: TSG’s Zach Spellman
Tell me more about your role at TSG. What type of project engagements do you typically contribute towards and offer your expertise on?
A: Cliff Gray
One of my favorite aspects of working with TSG is being able to play a role in a variety of engagements, both from a technical and business perspective, as well as interacting with our industry-leading clients. I work closely with another TSG Senior Associate, Susan Horne, to perform Visa/GARS investigations as TSG is one of a few organizations certified by Visa to do so. These projects and similar engagements often reflect the importance of blending technical and operational fraud controls to mitigate merchant acceptance risks. I have been involved in numerous infrastructure review and analysis projects, often in support of M&A diligence, as well as evaluating payment infrastructure and technology. Most of my work requires me to stay current on industry regulations and trends, such as PCI, EMV, operational regulations, and security trends and landscapes.Recently, I have been involved with TSG’s GEM product by assessing the payment gateway space from the viewpoint of commercial developers needing to integrate payments. Among many interesting findings, one tacit reality was repeatedly confirmed: a lack of payment processors updating their technologies to work directly with modern cloud-based infrastructures and development communities. Next-gen platforms like Stripe have little technology left to build before becoming giant-killers in the processing business.
Q: TSG’s Zach Spellman
You have extensive expertise in technology and security compliance. What are some of the common challenges that face financial institutions as it relates to hardware security when it comes to payment acceptance and processing? How do you help financial institutions achieve a safe and protected operation?
A: Cliff Gray
The biggest challenges for financial institutions these days are related to the evolution of POS to Android and iOS platforms. While mobile platforms come with potent advantages (e.g., native, frictionless connectivity, massive development communities, etc.) there remain some important considerations. Typical mobile hardware cannot validate under Payment Transaction System (PTS) rules, so card-present functionality requires separate hardware like encrypting dongles and PIN pads. However, PIN-on-Glass should resolve some of this but that may still be years away.Interchange models also need to evolve to meet today’s technology. For example, Google Pay and Apple Pay’s authentication is arguably far better than AVS, CVV, and EMV; yet many transactions still interchange at risky, expensive CNP rates. There are technical challenges to overcome, but industry risk and interchange modeling must catch up as well.
The good news is that the new generation of processors are obfuscating compliance and security concerns through proprietary, fully certified hardware solutions that keep all dangerous data out of merchant systems and validate accordingly. These offerings are especially attractive to acquirers and ISOs looking for low-risk, low-touch solutions for their card-present merchants.
Q: TSG’s Zach Spellman
Tell me more about the importance of having a robust and carefully curated procedure and infrastructure in place when handling cardholder information. What are some of the key items you inspect when reviewing and assessing an entity’s operation?
A: Cliff Gray
While it is always safer to store a token rather than a raw card number, business requirements and/or industry standards sometimes mandate the handling of sensitive information. In these instances, some core factors are always considered. First and foremost is the decision to handle cardholder information appropriate. It is important for any organization to constantly reassess available technologies and strategies against business requirements and the potential liability of a breach. Other than the largest of entities, a breach of cardholder data would be financially catastrophic. Other things we look at include how multiple data elements are stored, including how entities follow Personally Identifiable Information (PII) models that disassociate elements as a means of rendering them harmless. Financial institutions and technology providers alike, we focus on how well the entity removes opportunities for individual humans to introduce threats or risk into the system.
Q: TSG’s Zach Spellman
Since joining TSG, how has the process of reviewing hardware and technology risk compliance changed over the years?
A: Cliff Gray
Payment ecosystems are deeply vested in the cloud – effectively treated as a public utility, it is the de facto infrastructure for CTO’s and micro-merchants, and everybody in between. Certainly, that reality has tremendously simplified my work in reviewing various hardware and software infrastructure. Not just because managing virtual hardware is far simpler than raised-floor facilities, the cloud has flipped redundancy and business continuity on its head. Maintaining a network with 99.999% uptime is difficult under any circumstances, but it was much harder before AWS and Google Cloud were around. When evaluating various technologies and implementations these days, I can focus more on the root causes of security threats such as how humans use technology, rather than the technology itself.
Q: TSG’s Zach Spellman
As technology continuously advances, how can firms in the merchant acquiring space best prepare and stay on top of new and emerging security threats?
A: Cliff Gray
I have always taken a pragmatic approach to security threats, evolving technology, and the reality that no lock is 100% foolproof. In this context, I believe stakeholders in the payment arena must remain vigilant to these threats, identify and protect against them by any means necessary, while also constantly strive to remove any assets (virtual or otherwise) that give weight to the threats in the first place. ISOs and acquirers regularly choose to exclude higher-risk market segments, and they should choose to exclude dangerous data in the same way. Even the largest of merchants have chosen to exclude card credentials from their networks; it is just not worth the risk.