Added value, benefits, security
“Payment gateways” (or 'payment hubs') have been promoted time and again as a component of modern payment processing. So what exactly does the term mean? And for which companies and use cases is it really worth using a payment gateway? Which benefits can be achieved? Which aspects of existing systems and security should be considered when using a payment gateway?
In a nutshell
In IT, a gateway is a link between two or more systems that acts as an intermediary and means
a) ... in the context of digital payment transactions in retail: the processing of electronic payments (mostly credit and debit cards) between buyers (customers) and sellers (merchants), with the gateway being used as an intermediary to forward payment transactions to connected PSPs1 and acquirers2. (e.g. ACI, SPREEDLY, NUVEI, but also others)3
b) ... used in the context of traditional payment transactions for companies: processing financial transactions on bank accounts at house banks, primarily for outgoing payments (suppliers, employees, public authorities) but also incoming direct debits (customers). In doing so, the payment gateway connects the company to the bank in a manner similar to an electronic banking system. Often the boundaries to the Treasury Management System (TMS) are fluid (e.g. SERRALA, TIS, OMIKRON, but also others)4
The following article will focus on the aspects of a payment gateway in traditional payment transactions (b).
Key features explained in simple terms
An external payment gateway connects a company's house banks using the available channels EBICS, H2H, SWIFT (and now API). Internally, it establishes the connection to the ERP and accounting systems. This offers the first major advantage over the use of e-banking systems: the automatic upload of payment files without manual intervention (= straight through processing). What's more, a payment gateway usually includes a format library that converts payment information from internally used interface formats into country-specific XML formats recognized by the respective banks.
Figure 1: System landscape with payment gateway for sending payment files
Source: KPMG AG
Beyond this, a payment gateway typically offers a range of additional functionalities, such as (non-exhaustive list)
- managing bank master data
- managing users and authorization rights
- releasing payments
- tracking and analyzing errors in payments
- obtaining account statements
- providing reports for accounts, balances and transactions
- if necessary, providing a liquidity forecast or even liquidity planning
This puts the gateway in direct competition with the banks' e-banking systems, which are only needed as a fallback or for special payments. Using the gateway therefore also has an impact on cooperation with the banks.
Changing ways of working with banks
To begin with, account master data is managed across all banks in the payment gateway. If not already available, this can create transparency across all bank accounts worldwide for the first time or lead to redundancy in master data management (if the master data is already recorded in ERP systems). When using Corporate Seal, even authorization rights can be managed without the bank's involvement – often a great speed advantage when adjusting limits for new employees, for example. When it comes to analyzing errors in payment files, the bank is still needed, but the gateway also provides options for validating and troubleshooting payment files.
Initially, the additional administrative tasks in the payment gateway mean more work and responsibility for the treasury department. However, at the same time, these new responsibilities strengthen Treasury's position as a competent port of call for the subsidiaries and service function within the Group.
Needless to say, a payment gateway also changes the way companies work with their banks. The use of a payment gateway means that some banks see themselves as being relegated to the role of a pure “backend” and payment processor, with their relevance in implementation projects dwindling. This can lead to friction with some institutions. Still other banks are concerned about issues such as liability and fraud prevention or insist on additional rights in the contract with regard to the release of data for specific reasons (e.g. log files for approval history). For the most part, however, banks are taking a proactive approach to the trend, supporting customers in their implementation projects or even entering into partnerships with payment gateways.
Outsourcing payment format maintenance saves money and accelerates IT projects
Some payment gateways provide a library of pre-tested payment formats that are specific to individual banks and countries. With this library, the gateway is able to generate a valid XML payment format that complies with the ISO 20022 standard from payment information in various internal formats (e.g. CSV, TXT or IDOC from an ERP system). This has numerous advantages:
- Whenever central banks introduce new payment methods (e.g. instant payments, real-time payments or split payments), payment formats can quickly go live for each bank.
- When replacing legacy formats (e.g. DTAZV) and introducing the ISO standard, format libraries are helpful because they accelerate and simplify the technical migration.
- On top of that, new payment runs can be implemented more quickly, thus automating additional payment transactions in accounting.
Figure 2: A payment gateway's format library
Source: KPMG AG
To a certain extent, ERP systems also offer templates for country-specific payment file formats. These, however, still need to be customized to the format specifications of the respective local banks. Most importantly, the initial format test together with the bank is more extensive and depends on the availability of the bank's implementation managers. Likewise, responsibility and effort for format maintenance lies with the company's IT department. Conversely, by using a payment library with pre-validated and automatically maintained formats, internal IT costs can be reduced and efficiently outsourced to the service provider.
Outsourcing that goes beyond format maintenance and e-banking, which extends the functional scope of a payment gateway, has to be considered separately. When it comes to outsourcing the entire payment transaction process, including populating and preparing payment files for vendor payments or complex HR payments, as well as their posting and monitoring of the settlement, it is necessary to turn to other providers (e.g. ADP, Bottomline Technologies, PAYONEER, DATEV, as well as others)5.
Improved governance and savings on fees
When bank master data management, bank connectivity, account administration and payment processing are centralized, the payment gateway automatically creates a stronger dependency of the subsidiaries on the head office. At the same time, this improves the overview of local bank accounts and approval rights, facilitates the enforcement of uniform limits and forces the subsidiaries to coordinate more closely with the central treasury department when opening and closing bank accounts. This kind of improved governance is likely to pique the interest of the CFO in particular. What's more, centralization can pave the way for a future shared service center (payment factory).
On the cost side, the savings made in maintaining formats and the efficiency gains achieved through a standardized admin process are offset initially by the costs of subscribing to another cloud platform. What is more, however, is that a payment gateway boosts competition between banks in terms of:
- the reliability and speed of payment execution
- the introduction of new payment methods
- and, last but not least, pricing.
While it is still a hassle to switch from one bank account to a better or cheaper bank, the technical setup in a payment gateway is significantly faster and easier. So for high-volume transactions, the fixed costs for software rental should pay for themselves in the medium term.
What are the risks and how can they be mitigated?
Entrusting a cloud provider with a company's technical solvency could initially raise understandable concerns for a responsible treasurer – for example, regarding data security, provider risk and control over payment transactions.
But to reap the benefits anyway, operational risks can be limited by choosing a suitable provider that guarantees the necessary availability and reliability (failover, backup, limitation of downtimes) – preferably with a suitable SLA (Service Level Agreement) and ISO certification. Taking a closer look, you will see that the default risk and availability of support at most providers today is at a level similar to that of banks.
Companies are well aware that authorities vehemently enforce compliance with data protection laws (GDPR, DSGVO) and data security by imposing heavy fines, and public awareness of this issue is widespread today. All of this means that the protection of personal information in payment transactions (e.g. bank details) or even sensitive data (e.g. salary payments) becomes particularly important. Outsourcing companies such as payment gateways usually have provisions in their contracts and processes for this. All the same, the treasury should also take measures to prevent this – for example, in the form of:
- an authorization concept
- clear guidelines and training for administrators
- release processes
- and documentation
What's more, any subsidiary that commissions the head office to process payment transactions should initially delegate this task with appropriate contracts in order to create a legal basis for the centralization. It is also a good opportunity to take a fundamental look at data protection and data security in order to prevent the misuse of sensitive user data.
Cyber security in payment transactions
Apart from the risks already mentioned, the issue of cyber security in connection with payment gateways is likely to raise some concerns. Initially, all parties involved in the payment transaction process are equally exposed to cyber attacks:
- Banks (and also central banks):
Banks are a particular focus of cyber attacks while also being subject to high regulatory pressure. New laws such as the DORA (Digital Operational Resilience Act) impose strict requirements for cyber security and force banks to make significant investments in security and fraud detection. Such investments are also necessary to adequately protect a complex and extensive infrastructure and organization. - Cloud providers (payment gateways or treasury management systems):
Smaller cloud providers also have smaller budgets. Then again, as technology leaders, they are best able to protect themselves against threats with technical measures (authentication, encryption, dynamic IP addresses, etc.). While they are not subject to the strict laws of the regulatory authorities, they usually undergo certification for information security (such as ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018 or SOC 2, to name just a few). Time and again, cloud providers successfully fend off cyberattacks6. - Corporates (with an on-premise installation of the ERP or TMS):
Unfortunately, companies themselves are likely to be the weakest link in the chain if they do not invest sufficiently in cyber security, have contingency plans in place or carry out IT security certifications. These companies are exposed to a high risk due to them storing sensitive payment transaction data in ERP systems, email programs or folder structures.
As a result, whenever a company considers improving the IT security of its payment transactions, outsourcing further processes to cloud providers often represents an improvement over the status quo.
Key decisions towards a future-proof payment strategy
To sum up, a clever IT setup for payment transactions unlocks financial potential and is an important lever for improvements. That is why it can make sense to think about the specific payment strategy (in addition to the bank strategy) and clarify the following questions, for example, before starting larger payment projects:
- Format development:
make or buy? - Administration of limits:
in-house or through banks? - Governance:
Payment transaction – to centralize or to decentralize? - Importance of security:
manual interfaces or automation?
An upcoming ERP migration or a project to replace legacy formats could prove to be a good opportunity to take a long, hard look at your payment strategy and to review your IT landscape – specifically with regard to the use of a payment gateway.
Source: KPMG Corporate Treasury News, Edition 149, November 2024
Authors:
Nils Bothe, Partner, Finance and Treasury Management, Corporate Treasury Advisory, KPMG AG
Sascha Uhlmann, Senior Manager, Finance and Treasury Management, Corporate Treasury Advisory, KPMG AG
_____________________________________________________________________________________________________________
1 A payment service provider (PSP) makes the technical infrastructure available for processing cashless payment methods at the interface to the end customer, both online in e-commerce (in the checkout process) and in stationary retail (through payment terminals).
2 An acquirer is a bank or financial service provider responsible for authorizing and processing card payments and paying out the amounts to the merchant's bank accounts.
3 The providers were selected at random. They are illustrative examples with no implication as to the relevance or competence of the respective providers.
4 Same comment as under footnote 3.
5 Our selection of providers that can serve as outsourcing partners for additional payment transaction services was made on a random basis. They are illustrative examples with no implication as to the relevance or competence of the respective providers.
6 Amazon Web Services (AWS) is an exemplary representative of the industry, deploying numerous innovative tools for early detection, defense, and protection against cyberattacks. These tools have already helped AWS to fend off numerous attacks, according to the company. (“In the first quarter of 2023 […] we stopped over 1.3m outbound botnet-driven DDoS attacks”)
Source: Ryland, M. (2023, September 28). How AWS threat intelligence deters threat actors. AWS Security Blog. Available at: https://aws.amazon.com/de/blogs/security/how-aws-threat-intelligence-deters-threat-actors
Nils A. Bothe
Partner, Financial Services, Finance and Treasury Management
KPMG AG Wirtschaftsprüfungsgesellschaft