Securing Payments-as-a-Service


Payments-as-a-Service (PaaS) is a business model where financial institutions provide advanced payment products and services. The benefit of this model is customers are not burdened with the overhead of developing their payment processing platform.

What Is Payments-as-a-Service?

PaaS providers offer leading-edge, cloud-based platforms to provide specialized services, such as card issuing, payment clearing, cross-border payments, disbursements, and e-commerce gateways. Key players in the PaaS market include Paystand, PayPal, Stripe, and Square. The global PaaS market size reportedly reached US$5.6 billion in 2020 and is expected to reach US$16 to US$20 billion in 2025, growing by between 15% and 20% CAGR.

PaaS providers cover the entire payment value chain using cloud-based platforms, partnering with banks, e-commerce companies, fintech firms, insurers, and telecoms to offer specialty payment services. At the heart of PaaS solutions are APIs that integrate value chain partners with PaaS platforms. PaaS solutions offer scalability, resiliency, security, and lower cost. All of these traits add to their attractiveness and give PaaS the advantage over many legacy payment platforms, with the added benefit of per transaction cost model versus significant feature investments of in-house solutions.

Is Using PaaS Less Secure Than Legacy Payment Processing?

Research performed by Aite-Novarica Group shows that most fraud in the financial services industry is related to payment activity. The payment processing attack surface will only increase as more PaaS providers come online. However, with that said, it is generally believed that PaaS platforms have the edge in security and resiliency owing to their purpose-built, cloud-first architecture. PaaS platforms adhere to strict security protocols found in PCI DSS. However, customers of PaaS providers must verify that independent parties have certified the platform’s security, privacy, and resiliency.

Banks’ dominance in the payment processing space will decrease with the wide acceptance of PaaS. However, the responsibility for security, resiliency, and privacy will shift to vendors that may not have the same years of experience protecting payment and customer information as legacy providers. Regardless of the source, users of payment processors can never abdicate their accountability. Lower cost should not be the only criterion for choosing a PaaS provider.

To learn about protecting PaaS, check out my blogs on secure Banking-as-a-Service and open banking API risk, or if you prefer, contact me here.