This case study explores the requirement of Desjardins to harmonise its payment acceptance infrastructure to support the international requirements of members and clients, lower development costs, stimulate the development of innovative payment solutions, and promote a standardised approach to interoperability for all payment acceptance stakeholders globally.
Desjardins Group is the leading cooperative financial group in Canada and the sixth largest in the world, with assets close to $268 billion. Founded in 1901, it has one of the highest capital ratios and credit ratings in the industry. Desjardins works for the economic and social betterment of its members and clients together with the economic and operational development of the wider global financial services industry. In Canada, with the support of close to 48,000 employees and some 4,500 elected officers, Desjardins serves over seven million members and clients by providing a full range of products and services for individuals and businesses through its extensive distribution network, online platforms and subsidiaries across the country.
The group has designed its payments infrastructure to enable merchants to adopt a long-term payment acceptance strategy, minimising charges and focusing on delivering gains in operational efficiency. As a financial institution that prioritises the greater good over the commercial benefit of shareholders, it is in Desjardins’ DNA to support the wider payments ecosystem by enabling open and unmitigated adoption of the technology platforms it develops.
In this regard, the firm has demonstrated a long history of leadership in payment acceptance innovation. It was the first organisation globally to develop a full ‘end-to-end’ payment data encryption solution, for example, and was also the first to enable an integrated ‘pay-at-the-table’ acceptance solution for restaurants. This utilised an integrated payment solution that enabled payment acceptance data from the POS terminals to be fed directly into the centralised cash register management system, enabling a new level of payments insight and data alignment for the sector.
To serve and protect the interests of its merchant members and clients, Desjardins sought a way to simplify its exchange of card payment acceptance data, both domestically in Canada and beyond in international markets. To support their international expansion and their ability to trade with foreign partners, Desjardins’ members and clients needed a payments infrastructure that would facilitate the fast and simple acceptance of card payments. Crucially, Desjardins sought to accomplish this without setting up a tailored payment network infrastructure for each trading country and without having to adapt its system every time a card scheme requests a change.
Driven by the proliferation of new regulations and payment types and the global growth in e-commerce, Desjardins also sought a way to ‘dematerialise the payment acceptance terminal at the point of sale (POS)’. Card payments are increasingly being performed remotely or via innovative mobile payment solutions. By establishing a standardised way of exchanging all forms of card payment data, consistency, interoperability and cost efficiencies could all be realised for Desjardins’ members.
As a payment service provider (PSP), Desjardins also identified that it was spending too much time and money managing the integration of new payment solutions with high maintenance legacy infrastructures. Desjardins recognised this as an industry-wide problem, one that was causing integration headaches worldwide and, as a result, significantly hampering innovation.
In an effort to address these challenges, Desjardins decided to implement a model that had already proven hugely successful in the development of the internet: to develop and deploy messaging protocols that would standardise how its payment acceptance information was exchanged globally.
To realise this ambition Desjardins developed a proprietary payment application designed to support the full range of card payment formats, including EMV* chip and PIN, EMV contactless card payments and mobile NFC payments. The application is sufficiently flexible for it to be integrated with the back-end payments infrastructures of acquirers, PSPs and merchants. This capability enabled Desjardins to assume the role of each of these stakeholders and deliver full end-to-end payment acceptance services to its members.
Conventionally, to be able to operate in multiple countries, Desjardins (and its merchant members and clients) would need to negotiate the variance in payment messaging protocols in each country they operate in, together with country-specific data security and privacy requirements.
Basing the payment application on international standards and messaging protocols was a prerequisite for its success.
In 2013, Desjardins became a member of industry association nexo standards. nexo standards develops messaging protocols and specifications, which adhere to ISO 20022 standards and enable fast, interoperable and borderless payment acceptance by standardising the exchange of payment acceptance data between merchants, acquirers, PSPs and other payment stakeholders.
When developing the payment application, Desjardins has adhered to nexo FAST specifications. These specifications are based on EMV chip and PIN technology and provide an unambiguous description of how a payment application should be designed to enable global interoperability and to comply with the SEPA Cards Framework of the European Payments Council.
The nexo FAST specifications have enabled Desjardins to develop a universally interoperable application, mitigating the need to redevelop it according to the specific needs of each domestic payment acceptance infrastructure.
The nexo messaging protocols supported by the application follow the same principles. To ensure the application can seamlessly communicate with terminal management systems, acquirers, and merchants’ payment systems globally, it was built to support the nexo acquirer protocol, the nexo retailer protocol, and the nexo TMS protocol.
- The nexo acquirer protocol allows the use of real time or batch submissions and supports direct connections from merchant to acquirer or via a payment service provider intermediary.
- The nexo retailer protocoldefines a set of interfaces between a card payment application and a retail point-of-sale system. It offers new innovative features such as a clear separation between sale and payment, the provision of a complete series of payment and loyalty services as well as a common approach for all types of architectures and environments.
- The nexo TMS protocol provides an interface between a terminal management system (TMS) and a payment system. It supports the functions for configuring, managing and maintaining the application’s parameters, as well as the software and the security keys of a payment system.
There are numerous advantages to this development. Desjardins can now easily parameterise the payment application for each country so the terminal can communicate with cardholders in their native language, while remaining internationally interoperable. Desjardins has already deployed the same terminal and payment application in Canada, France and Portugal, supporting French, English and Portuguese languages, together with the Canadian dollar and Euro currencies.
As Desjardins’ cooperative ethos aims to serve the international payments ecosystem as well as its own members and clients, Desjardins made its payment application available to a wider market, enabling other financial institutions and merchants to realise the same benefits that Desjardins has to date.
Desjardins, together with its members and clients, has experienced a variety of benefits following the adoption of nexo’s standards:
Lower implementation costs
- As Desjardins’ acceptance messaging infrastructure is now fully interoperable and harmonised globally, the development, roll out and management of new payment solutions can now be done quickly and cost effectively, with the guarantee that all transactions are secure end-to-end. This has reduced implementation costs by as much as 20%.
- Desjardins’ merchant members and clients that support nexo standards are now free to expand their operations internationally, unconstrained by their card payment acceptance infrastructure. Desjardins can now deploy enhancements to its payments applications six to eight weeks faster than previous deployment timeframes.
Global partnerships and fuel for innovation
- A cross-border payments infrastructure that is globally interoperable, future-proofed and secure, empowers merchants to select best-of-breed suppliers on a global basis. This encourages collaboration, mitigates vendor lock-in, facilitates innovation and increases the merchant’s powers of negotiation. Vendor costs are therefore significantly reduced by tapping into a potentially global base of vendors and suppliers, enabling greater choice and competition.
Added value for members and the embodiment of Desjardins’ cooperative ethos
- Desjardins’ members and clients benefit from first-mover access to the new global payment acceptance infrastructure. Moreover, the international payments ecosystem also benefits from Desjardins’ open ethos; its vision of payment solutions is based on the principles of cooperation and partnership, and emphasizes human values in business practices.
- In keeping with Desjardins’ collaborative ethos, supporting nexo’s specifications and messaging protocols gives Desjardins and its members and clients the flexibility to assume different roles within the acceptance transaction chain, according to their prevailing strategies. Desjardins is empowered to deliver the whole payment acceptance service on behalf of its merchant customers (from POI to acquirer and back again). Similarly, should they wish to do so, merchants are empowered to perform the acquirer’s role (i.e., managing the process of exchanging payment data with the acquirer).
Desjardins continues its efforts to develop payment solutions for the benefit of its members and clients and the greater good of the industry. The financial institution is currently working with France-based bank, CréditMutuel, to develop Monetico, a common payments platform. Monetico is a jointly owned payment solutions brand, which is registered in over 60 countries.
Key to Monetico’s success has been its utilization of the open and international payment acceptance specifications and messaging protocols of nexo standards. By using nexo to standardise its exchange of payment acceptance data, Monetico has been able to integrate the technical complexity of domestic and international acceptance systems. Thanks to nexo, Monetico can interoperate on a standardised global level, in adherence to ISO 20022.
Securing Information Throughout the Supply Chain – Preventing Supplier Vulnerabilities
By Adam Strange, Data Classification Specialist, HelpSystems
The financial services sector is experiencing extreme disruption coupled with rapid innovation as established institutions strive to become more agile and meet evolving customer demand. At the same time, new market entrants compete fiercely for customers. Increasing operational flexibility, through the deployment of cloud infrastructure or via digital transformation initiatives, is critical for future competitiveness but it has also driven regulatory and security challenges, particularly around working with suppliers.
That said, the benefits of a diverse, interconnected supply chain are compelling: agility, speed, and cost reduction all weigh on the positive side of the equation, prompting financial institutions to pursue close, collaborative relationships with suppliers, often numbering in the hundreds or thousands.
Weakness in the supply chain
On the negative side is the increased cyber threat when enterprises expose their networks to their supply chain. In our modern interconnected digital ecosystems, most financial organisations have many supply chain dependencies and it only takes one of these to have cybersecurity vulnerabilities to bring a business to its knees.
As a result, breaches originating in third parties are common and costly – a Ponemon Institute/IBM study found that breaches being caused by a third party was the top factor that amplified the cost of a breach, adding an average of $370,000 to the breach cost.
Concern around the supply chain was also evidenced in a recent report we have just issued, whereby we interviewed 250 CISOs and CIOs from financial institutions about the cybersecurity challenges they face and nearly half (46%) said that cybersecurity weaknesses in the supply chain had the biggest potential to cause the most damage in the next 12 months.
But sharing information with suppliers is essential for the supply chain to function. Most financial services organisations go to great lengths to secure intellectual property, personally identifiable information (PII) and other sensitive data internally, yet when this information is shared across the supply chain, does it get the same robust attention?
Further amplified by COVID-19
Financial service organisations have always been a key target for cyber attacks. Our research showed that since COVID-19 hit, the risk has elevated further, with 45% of the respondents seeing increased cybersecurity attacks during this period. Likewise, hackers are rejecting frontal assaults on well-defended walls in favour of infiltrating networks via vulnerabilities in suppliers.
But financial services organisations must maintain reputations and ensure customer trust. Firms are keen to demonstrate that they are protecting customer assets, providing an ultra-reliable service and working with trustworthy partners. So, what can they do to better protect their supplier ecosystem?
At the very least, they need to ensure basic controls are implemented around their suppliers’ IT infrastructure. For example, they must ensure suppliers maintain a secure infrastructure with a minimum of Cyber Essentials or the equivalent US CIS certification controls. Cyber Essentials defines a set of controls which, when implemented, provide organisations with basic protection from the most prevalent forms of threats, focusing on threats which require low levels of attacker skill, and which are widely available online.
Likewise, they need to ensure good information management controls are in place and this begins with accurate information/data classification. After all, how can you apply appropriate controls to your information unless you know what it is and where it is?
How ISO27001 helps organisations put in place a data classification process
The international standard on information security, ISO27001, describes the basic ingredients for data classification to ensure the data receives the appropriate level of protection in accordance with its importance to the organisation. It comprises three basic elements:
- Classification of data – in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.
- Labelling of data – an appropriate set of procedures for information labelling should be developed and implemented in accordance with the organisation’s information classification scheme.
- Handling of assets – procedures for the handling of assets developed and implemented in accordance with the organisation’s information classification scheme.
Adoption of this methodology will help financial services organisations and their supply chain take a more data-centric information security approach. However, there are essentially four key stages for implementing a data risk assurance supply chain approach and these are:
1. Approval – in organisations with complex supply chains senior management, vendor management, procurement and information security will all need to support a robust risk-based information management approach. Details of previous incidents and their impact alongside the business benefits will be essential to gain stakeholder buy in.
2. Preparation – Organisations should start with Tier 1 suppliers and initially identify the contracts with the highest business impact/risk. They should identify and record information repositories and the data that they contain together with the responsible business owners. Define a business taxonomy based on information categories of that data and include supply chain factors such as what information categories are shared.
For example, they need to understand the business impact of compromise against each of the information categories. Have any suppliers suffered security incidents? What assurance mechanisms are in place? Once all this information is collated the organisation can create a data classification policy and define a set of controls for each data category.
3. Discovery – Select each data category and identify the associated contracts. Then prioritise the data category based on the risk assessment and verify that the data security controls and arrangements for each data category and contract meet the overall requirements. Once complete, hand over the contract for inclusion in the vendor management cycle.
4. Embed process – the overall objective is to embed information risk management into the procurement lifecycle from start to finish. Therefore, whenever a new contract is created there are a number of actions required which embed data risk at each stage of the bid, tender, procurement, evaluation, implementation and termination phases of the contract.
To summarise, organisations should start by researching the information risk and security frameworks such as ISO27001 and others. They should then focus on defining their business taxonomy and data categories together with the business impact of compromise to help develop a data classification scheme. Finally, they should implement the data classification scheme and embed data risk management into the procurement lifecycle processes from start to finish. By effectively embedding data risk management and categorisation into their procurement and vendor management processes, they are preventing their suppliers’ vulnerabilities becoming their own and are more effectively securing data in the supply chain.
Deloitte: Middle East organizations need to rethink their workforce in the wake of COVID-19
Organizations in the Middle East have had to take immediate actions in reaction to the COVID-19 pandemic, such as shifting to remote and virtual work, implementing new ways of working and redirecting the workforce on critical activities. According to Deloitte’s 10th annual 2020 Middle East Human Capital Trends report, “The social enterprise at work: Paradox as a path forward,” organizations now need to think about how to sustain these actions by embedding them into their organizational culture.
“COVID-19 has created a clarifying moment for work and the workforce. Organizations that expand their focus on worker well-being, from programs adjacent to work to designing well-being into the work itself, will help their workers not only feel their best but perform at their best. Doing so will strengthen the tie between well-being and organizational outcomes, drive meaningful work, and foster a greater sense of belonging overall,” said Ghassan Turqieh, Consulting Partner, Human Capital, Deloitte Middle East.
According to the Deloitte report, many organizations in the Middle East made quick arrangements to engage with employees in the wake of the pandemic through frequent communications, multiple webinars where senior leaders addressed employee concerns, virtual employee events, manager check-ins, periodic calls and other targeted interactions with the workforce.
The report also discussed how UAE and KSA governments have reexamined work policies and practices, amended regulations and introduced COVID-19 initiatives to support companies and the workforce in the public and private sectors. Flexible and remote working, team-building and engagement activities, well-ness programs, recognition awards and modern workspaces are among the many things that are now adding to the employee experience.
Key findings from the Deloitte global report include:
- Only 17% of respondents are making significant investments in reskilling to support their AI strategy with only 12% using AI primarily to replace workers;
- 27% of respondents have clear policies and practices to manage the ethical challenges resulting from the future of work despite 85% of respondents saying the future of work raises ethical challenges;
- Three-quarters of leaders are expecting to source new skills and capabilities through reskilling, but only 45% are rewarding workers for the development of new skills; and
- Only 45% of respondents are prepared or very prepared to take advantage of the alternative workforce to access key capabilities despite gig workers being likely to comprise 43% of the U.S. workforce this year according to the Bureau of Labor Statistics.
“Worker well-being is a top priority today, and similarly to the rest of the world, companies in the Middle East are focusing their efforts to redesign work around well-being by understanding workforce well-being needs,” said Rania Abu Shukur, Director, Human Capital, Consulting, Deloitte Middle East.
One in five insurance customers saw an improvement in customer service over lockdown, research shows
SAS research reveals that insurers improved their customer experience during lockdown
One in five insurance customers noted an improvement in their customer experience over lockdown, according to research conducted by SAS, the leader in analytics. This far outweighed the 11% of customers who felt it had deteriorated over the same period.
This is positive news for insurers during such challenging times, with 59% of customers also saying that they would pay more to buy or use products and services from any company that provided them with a good customer experience over lockdown.
The improvement in customer experience also coincides with a rise in the number of digital customers. Since the pandemic started, the number of insurance customers using a digital service or app has grown by 10%. Three-fifths (60%) of new users plan to continue using these digital services moving forward.
However, while the number of digital users grew over lockdown, half of the insurance customer base has not yet chosen to move to digital insurance apps or services.
Paul Ridge, Head of Insurance at SAS UK & Ireland, said:
“It’s impressive that there was a net improvement in customer experience during lockdown, despite the challenges the industry was facing with a transition to remote working and increased claims for things like cancelled holidays. While many were forced to wait on customer help lines for long periods, part of the improvement may be explained by even a small (10%) increase in the number of digital users.
“However, it’s clear that a huge number of customers are still yet to make the move online. It’s vital that insurers provide the most accurate, timely and relevant offerings to customers, and this is best achieved by having additional insight into online customer journeys so they can understand them better. Using analytics and AI, insurers can seize this opportunity to digitalise their customer experience and offer a more personalised approach.”
Meanwhile, for insurers that fail to offer a consistently satisfactory customer experience, the price could be severe. A third (33%) of customers claimed that they would ditch a company after just one poor experience. This number jumps to 90% for between one and five poor examples of customer service.
For more insight into how other industries across EMEA performed during lockdown, download the full report: Experience 2030: Has COVID-19 created a new kind of customer?
Securing Information Throughout the Supply Chain – Preventing Supplier Vulnerabilities
By Adam Strange, Data Classification Specialist, HelpSystems The financial services sector is experiencing extreme disruption coupled with rapid innovation as...
RegTech 2020: The rise of Open Banking
This month on the RegTech 20:20 podcast, host Alex Ford is joined by industry experts Gavin Littlejohn, Chairman of The...
The case for AI technology adoption in financial back-office roles to improve efficiency
By Tomas Gogar, AI CEO, Rossum In this era, digital transformation isn’t anything new. Nonetheless, it can still cause a...
Gain financial regulation qualification online
Gain financial regulation qualification online Warwick Business School in partnership with the Bank of England are delighted to offer...
COVID-19: Dealing with fraudulent applications for the Bounce Back Loan Scheme
By Ed Lloyd, EVP Global Head of Sales, Encompass The COVID-19 pandemic is still having a devastating impact on businesses...
EU Commission sets out new intellectual property action plan affecting SEPs, patent pooling and EU design protection
By Andrew White, Partner and UK & European patent attorney at intellectual property firm, Mathys & Squire The EU Commission...
InsurTech is helping to drive the digital evolution of the UK motor retail industry
By Alan Inskip, Tempcover CEO & Founder If the last nine months have made anything clear, it is that the...
Five ways enterprises are using the public cloud
By Michael Chalmers, MD EMEA at Contino The public cloud is the most significant enabler in a generation. It’s causing a...
Another ‘new normal’? Five challenges CTOs will face in 2021
By Amit Dattani, Director of Technology at Conosco We’re one year into the new decade, and arguably technology has guided...
An inside look at how both the global pandemic and the March and November 5th National Lockdowns are affecting mental health within the workforce
By Lianne Harrington, Director SMP Healthcare Ltd Part One: Real life insights into the deteriorating mental health of three employees...