Sponsored content presented by CPI Card Group, Inc.
Instant issuance is emerging as a key centerpiece in the on-demand branch-level transformation occurring in financial services today to meet evolving customer preferences. The 21st century consumer wants a debit or credit card that can do it all and be inside their wallets after a short visit to their bank – cards that can be issued on day one of account opening or immediately upon reissue after a compromise. Recognizing the need to add an instant issuance solution to respond to this demand for immediacy is the true start; however, adding the technology to implement and deliver comes with a number of considerations.
Building an instant issuance program from the ground up can seem like a daunting task. To begin, issuers must set some foundational standards for their program. The program should be customer-centric, reduce operational expenses and begin generating revenue on day one. Once the vision for the program is established, there are deeper considerations to address.
Most teams begin with researching suppliers. The discovery process presents – slightly more obvious factors such as the need for in-branch card printers, printable cardstock, and employee training. The temptation at this stage is to oversimplify by looking at the bottom line and eliminating potential suppliers based solely on cost, but cost is not the only decision point and not necessarily the most important.
There is one area most critical to building a successful program –ownership of the server that stores secure data and programs new cards. There are two main solution models to choose between in this regard: Software for Purchase (SFP), in which the banks own the server and software; and Software-as-a-Service (SaaS), where the data is maintained in a secure cloud-service offered by the instant issuance supplier.
Ownership of the server is handled differently among the available solution models and is THE most important decision to make to truly support the foundation of the program. For financial institutions, there are two solution models to consider:
Software for Purchase (SFP), which provides a secure server and software for purchase, outright. The software and the servers are owned and maintained by the financial institution.
Software as a Service (SaaS), an innovative technology where financial institutions choose a supplier that offers a fully web-based solution. In the SaaS model, the software is a cloud-service and the secure server is owned and maintained by the instant issuance supplier.
So how do decision-makers evaluate what will work for their bank? They must do a deeper dive.
EMV certification becomes necessary. Have no worries – today’s solutions are EMV compliant and either can bring a non-migrated issuer quickly to EMV compliance, but there are opportunities where the process can be shortened for some financial institutions. For a SFP instant issuance solution where a bank is not certified for EMV, all the steps in the EMV chip certification process are necessary to print EMV cards. If the financial institution has achieved EMV chip certification for their centrally issued cards, the steps will need to be repeated a second time to accommodate the addition of the instant issuance server. Each time a new server is added, all specifications must be separately certified.
SaaS instant issuance suppliers still need to extensively test the bank’s EMV chip set up using test and production keys, but there are several factors that can simplify the process. The supplier may have implemented similar projects on their servers where settings could already be certified for specific chips aligned with the payment brands and processors. Checking with the instant issuance supplier in advance of the certification process might save a few steps.
Another short-cut to consider is working with a current card personalization supplier that also offers a SaaS instant issuance solution. One of the benefits of an “add-on” solution is that the supplier has already completed the card program certification for EMV. Not having to recertify saves the institution in overall certification costs by eliminating key ceremonies and transfers; therefore, shortening the timeframe for project implementation.
Keys are key. The importance of the responsibilities around cryptographic keys cannot be overemphasized. All financial institutions that offer payment cards receive encrypted keys from their processor specifically identifying their Bank Identification Numbers (BINs). These “production keys” must be server-accessible for each instant issuance installation, as they are accessed for every card printed and are used to calculate the correct values that appear on the card. One example of this is the CVV2 or security code that appears on the back of the card, with which a derived value is calculated with each print.
SFP and SaaS approach this challenge differently. Choosing between the two solutions models predicts how the keys provided by the processor are duplicated onto instant issuance servers. It is important to decide whether the keys will be the responsibility of the institution’s employees or the supplier.
In a SFP instant issuance solution, an institution purchases a Hardware Security Module (HSM) to store data securely and customizes the software for accessing the internal network for card printing. Key components must be securely received and downloaded by institution employees in a manner that is compliant with the Payment Card Industry Data Security Standard (PCI/DSS) which stipulates a minimum of two employees must be designated as key custodians in order to receive separate shipments. The keys are then typed into the secure HSM at different times and stored separately. The downloading is known as a “key ceremony”. For SFP solutions, all key control and responsibility lies squarely with the institution. All calculations using the keys occur within the confines of the institution’s network.
In a SaaS instant issuance solution where there is no purchase of an HSM or software; key management is handled by the supplier who accepts the responsibility for security of the keys and software updates. Key components sent securely from processors are downloaded by experienced key custodian teams at the supplier who perform key ceremonies on a daily basis. Keys are then stored within facilities that meet all PCI/DSS for key control. As a card print is requested, an encrypted message travels via the internet to remote servers where the calculations are performed, and a secure print command is then sent out to branch printers.
Owning IT can mean an impact on IT resources. One of the benefits of a SFP internal server for instant issuance is that the financial institution has full control over the system. All of the IP addresses, networking decisions, firewall settings and communication protocols occur within the confines of the institution and are under the direct control of its IT staff. If there is a robust staff of IT professionals that can support the set-up, then full control can be a very attractive option.
When using a SaaS supplier, access to the service is gained using the internet. The SaaS supplier is then relied upon to direct the settings that will work best for accessing their servers and making branch printers receptive to remote print commands. Typical network installations can require Dynamic Host Configuration Protocol (DHCP) to ensure each printer is assigned a unique IP address, and a set of instructions for staff to access available internet ports. A reputable instant issuance supplier will assist staff to establish connectivity. For smaller banks that have limited IT resources, using a SaaS solution can offer “plug-and-play” availability.
Factor for the ideal cost model. There was a time when SFP instant issuance was the only option available and it was strictly a feature of large banks. There was a fairly simple economic model; the costs (server, printer, cardstock, key management, HSM) had to be spread over hundreds of employees printing thousands of cards in order to make instant issuance financially viable. However, once the server is established, the bank owns the hardware and can grant access to as many users as needed. As the industry developed, the ownership of a HSM has not really changed – the costs are still relatively high in comparison to SaaS models and remain an option mostly afforded by larger banks.
For smaller financial institutions, the SaaS model can offer the same benefits as the SFP instant issuance solutions, only with fewer onboarding costs. Whether the intent is to have instant issuance at one or at five hundred branches, a SaaS instant issuance program allows any number of users to log on and print cards, providing the supplier does not limit or charge for additional users.
Timing is of the essence. In many cases, a bank that commits to instant issuance has reached their decision in a rush of pressure, perhaps in response to a breach of client data or because competitors in the area begin to offer instant issuance. Issuers discover they are behind the curve and try to respond as quickly as possible. Many banks find they need an instant issuance solution as of yesterday.
Regardless of such pressures, financial institutions still expect a measurable return on investment within a reasonable time. Instant issuance solutions document significant ROI and all suppliers are quick to highlight the savings experienced when cards are issued instantly – from implementation to mailing costs. The day-one interchange revenue experienced when cardholders immediately start using their cards upon opening a new account or in response to a breach makes instant issuance very attractive. However, as outlined previously, the capital investment can be quite different for SFP vs. SaaS.
If the goal is to start recouping some of those costs within the same fiscal year, then that should be communicated to prospective suppliers. In general, SFP packages will be custom-made to suit each bank, which takes time. Once hardware is purchased, software will be written on the new HSM after it is installed. Contrast that with SaaS solutions, where software is programmed and maintained by the supplier. Once a bank’s specifications are complete on the supplier’s servers, the printers are ready to install and use right away. Typically, the ramp-up of instant issuance tends to be much shorter for plug-and-play SaaS solutions.
Choosing the right instant issuance solution requires a bit of knowledge surrounding the initial groundwork pertaining to the available models. Decision-makers tasked with finding the best fitting instant issuance system, whether it is SFP or SaaS, will be able to make more informed decisions if they know how each solution model approaches the fundamentals of card issuance – and what the impact will be on financial, human and time resources.
To read more about CPI Card Group’s Instant Issuance solution, Card@Once® visit: https://cardatonce.cpicardgroup.com/
EMV is a registered trademark or trademark of EMVCo LLC in the United States and other countries.
Card@Once® is a registered trademark of CPI Card Group, Inc.