Previous chapters in this book have defined the payment system as the combination of laws, institutions maintaining settlement accounts, and operating facilities that are used to make payments. This chapter focuses on the operating facilities component—or the “plumbing”—of the payment system. It describes the main operational components of a modern payment system and then goes on to address capacity planning and management issues. It also deals with procurement of technology.
Many different methods are used to make payments and a great variety of technological platforms exist for processing them. The main focus of this chapter is on electronic technologies used to support large-value transfer systems.
Components of a Modern Operating System
Well-organized and smoothly functioning operational facilities are absolutely essential to the payment system. In advanced market economies, in which the volume and value of transactions and associated payments are large, manual systems obviously cannot effectively support high levels of activity. Therefore, automated systems that use modern technologies are required. Such automated systems depend on data processing facilities, data communications facilities, and highly skilled operations and support personnel.
Data processing facilities consist of computer equipment, the environmental software needed to operate and control that equipment, the application software designed for processing the payments, and skilled staff who manage and operate the entire complex. Data communications facilities, composed of communications equipment and software, allow for the transmission of payment information. Transmission may occur over long distances between the processor, the sender, and the receiver.
Taken together, the technologies used in payment systems can be extremely complex. The time needed from conception to implementation of the system, or to make changes to existing systems, can be extensive. Moreover, implementing technical changes can pose operational risks and is expensive. Once operational, and business requirements for safety and reliability are firmly established, there is no room for operational disruptions.
The processing of payments almost always depends on large-scale automation and technology. For example, in the United States, over 10,000 depository institutions are connected electronically to the 12 Federal Reserve Banks for electronic processing of payments. Given the large volume of payment transactions and the specialized business requirements to be supported, the computers used to process payment transactions at the Federal Reserve Banks are large and require a special support infrastructure.
Support Infrastructure
The support infrastructure consists of the primary and backup systems that provide electrical power, air conditioning, raised flooring that allows access to areas beneath the computer devices, space for electric and signal carrying cables, and a passageway for the circulation of cooled air. In addition, the infrastructure should provide monitoring devices to sense water leakage, heat, smoke, and failures in the electrical or air conditioning equipment. Physical security of the computer processing area is another important aspect.
Large-scale computers used to operate payment systems require greater amounts of electrical power and generate far more heat than does the equipment normally housed in an office environment. The design of the computer room must provide the appropriate support systems to address both of these conditions. In addition to supplying the proper power and water, all of the infrastructure components must be connected to safe and reliable power and water sources. Additionally, the computer equipment has to be interconnected through complex cabling and switching equipment so that signals can pass from one device to another. The interconnected grid should provide primary and backup paths to alternate devices that can be readily substituted in case of equipment malfunctions.
Raised flooring is needed to meet these requirements. The raised flooring provides space for the complex network of interconnected cables, air and water supply lines, and acts as a chamber for the circulation of cool air.
The temperature and humidity within and around the computer equipment must be maintained within certain tolerances. The computer room is air-conditioned to provide these conditions. Cooling towers and chillers are required to ensure that the water required by the air-conditioning system is sufficiently cold.
Air blowers are typically placed near the computer equipment and pump air beneath the raised floor. Fans installed in the computer equipment circulate this chilled air through the devices to keep the components that generate heat at their appropriate operating temperature. Some very large computers rely on the circulation of chilled water around the heat-generating components within the processor itself.
All components of the infrastructure must be integrated, monitored, and protected. Sensors should test for changes in voltage, water leaks, excessive temperature, and humidity, smoke, and heat. Monitoring systems should sound an audible alarm when trouble is sensed, and automatic corrective action, wherever possible and prudent, should be built into the system.
The provision of electrical power for this equipment is another area of complexity, since both voltage and amperage must be maintained within certain levels. The electricity that is delivered by most utility companies, which is commonly referred to as “raw street power,” can oscillate outside the limits required to keep the equipment functioning free of error. If extreme fluctuations in voltage or amperage occur, the computer equipment could be damaged. Also, because of disruptions within the power supply system, electrical power may be temporarily severed. To compensate for these potential problems, computer installations rely on uninterruptible power supply (UPS) equipment.
UPS devices compensate for excessive swings in electrical power fluctuations from the street. In addition, if the incoming power is cut completely, UPS devices automatically switch the supply source to batteries. The batteries are installed within the building containing the computer equipment and allow the computers to continue to function unimpaired for a brief period until diesel generators can be started and brought online as a substitute power source. This, in turn, requires that sufficient fuel must be kept available so that the diesel generators can operate for the entire duration of the emergency. Switching gear can automatically change the source of power supply so that the computers continue to operate without interruption.
In summary, the infrastructure should provide a stable, reliable physical environment in which to house the computer equipment. It should also provide systems to sustain this environment during emergencies. Chart 1 illustrates a typical computer room and its physical infrastructure.
Physical Infrastructure of a Computing Facility
Hardware
Many different types of hardware are available, produced by different manufacturers from around the world. Data processing hardware includes the computer processing unit (CPU), which performs the required calculations, and data storage devices to store all the transaction records. These records include, for example, the accounts required by the payment system as well as individual payment instructions. Many different types of storage devices exist, but the most prevalent today are disk and tape devices. Disk drives can supply information to the processor at high speeds, whereas tapes retrieve information at lower speeds. Disks, however, are much more expensive than tapes per unit of data storage.
Other necessary hardware includes video display terminals to monitor what the computer is doing. The computer operators and users can call up information on their terminals about the state of the operation and can also issue instructions to the computers. Printers produce physical output of computer information. The movement of data between the computers, the storage devices, the video display terminals, and the printers need to be synchronized to ensure that the right data get to the right device at the right time, a task performed by devices known as controllers.
Software
The infrastructure and hardware required for data processing are not specific to payment systems but are required of all large computer installations. What makes payment system computers unique is the functions they perform. The computers are instructed to accomplish a specific task through the use of software. There are two categories of software: environmental software and application software.
Environmental software provides the logic to allow the computer to manage its processing resources and to structure how such resources are used by computer applications. There are five main types of environmental software: (1) operating system; (2) data base management system; (3) telecommunications monitor; (4) data security software; and (5) performance monitoring system. The operating system is responsible for controlling the operation of the computers and the interaction of the computers with other hardware and software. Computers are designed to do numerous millions—sometimes billions—of computations every second. Even small computers are designed to do many things at the same time. Ensuring that all hardware and software work in harmony, that all users are satisfactorily served, and that all tasks are performed correctly are the functions of the operating system.
Data base management software organizes the information stored on disks and tapes in a manner that is convenient for users to access and update. For example, the records representing accounts used to make and receive payments are organized so that they can be quickly located and updated with new data resulting from transactions. Whereas a data base manager provides for the organized storage of information and the rules used for its retrieval, a telecommunications monitor is used to effectively manage the movement of the data between the computer and the users. It is not unusual for thousands of small computers or terminals to be connected to a large computer. The telecommunications monitor ensures that data destined to any of these computers or terminals are delivered to the appropriate destination.
High levels of security and confidentiality are essential in any computer installation, especially one that is used to process payments. Computer security software is used to ensure that only authorized parties can send and receive payments—the software guarantees against tampering with the data. Further, security software ensures that only those who are authorized to access payments data can do so—the software also maintains the confidentiality of the data. There are different types of security and confidentiality software. The first and most basic security software controls access to the system. This type of software examines whether someone wanting to use the computer for a particular function is authorized to do so. Access control software can be set to restrict access by a specific person or a physical terminal. In addition, once access is authorized for people at particular physical terminals, it can be restricted to specific types of data.
An additional security control is message authentication. Using message authentication, each participant in a payment system is given a special code that is applied to payment messages to generate a set of characters. This set of unique characters is appended to each message. By checking this set of characters, the receiver knows that the authorized sender sent the message and that the message was not tampered with during transmission.
An additional security technique, which can be used in conjunction with message authentication, is encryption. Using encryption, payment messages are scrambled before they leave the sending point and are unscrambled when they reach the intended receiving point. In this way, even if someone was to intercept the payment data during transmission, the confidentiality of the data would still be protected.
Another type of environmental software—the performance monitoring software—enables those who run data processing facilities to determine whether the computers are functioning properly. Objective criteria are used to gauge computer performance, such as the number of transactions processed per second, the time needed to process a transaction, and the peak volume that can be supported. Performance monitoring software is used to gauge current performance and to help determine future computing needs by providing the basis for making projections of future growth.
The computer installation described thus far for a payment system is quite similar to installations used for other purposes, such as systems to control space flight missions, manage inventory, or collect statistical data. The exact performance characteristics of the computer facilities used to support these different “businesses” may vary, but the underlying infrastructure is by and large the same. What distinguishes the systems is the application software that gives the computer unique business capabilities. Application software provides the business functions that are being performed and implements the rules governing these functions. The acquisition or development of application software is the most difficult part of managing the technology required for an electronic payment system.
Telecommunications
An electronic payment system is not complete without a telecommunications system by which payment information can be exchanged. Modern electronic payment systems connect terminals, or even computers, at the users’ locations, to the electronic payments computer system. Various types of data communications networks, which vary in size and complexity, can be used to make these connections.
At the most basic level, the public telephone network can be used to provide the physical connection between a user’s terminal and the computer used to process electronic payments. Since the telephone network was designed for voice communications, special devices called modems (modulator/demodulator) are needed to convert the digital information (the ones and zeroes) used by digital computers to analog signals that can be transmitted over a voice telephone network.
The physical connection to the telephone network may require the user to dial a telephone number to connect with the computer system, so-called switched circuits. Alternatively, the connection may be reserved, or dedicated to provide continuous availability, so-called dedicated circuits. Dedicated circuits, which can be leased from the telephone company, offer better control over the network for trouble-shooting and maintenance but are expensive and require individuals ports, or connecting points, to the communications equipment that is part of the payment processing system. Switched circuits are a cost-effective alternative to dedicated circuits, and several such circuits can share a single port. Because data can be monitored or tampered with by unauthorized individuals while it is being transmitted, encryption devices are frequently used to encode the data to ensure confidentiality. The telephone circuits and equipment (such as modems and encryptors) used to connect payment system users are referred to as access circuits and access equipment. The configuration of data communications components in a simple network using dedicated circuits is illustrated in Chart 2.
Components of a Simple Communications Network Using Dedicated Circuits
If the number of users located within a given geographical area and connecting to the electronic payment system increases, multiplexer equipment can be added to eliminate the need for an individual communications line for each user. A multiplexer combines the transmission signals from two or more users onto a single, high-speed circuit, to which modems may also need to be connected. At the site of the electronic payments processor, a second multiplexer is required to separate the transmission signals for each user before connection to the computer ports. Thus, although use of a multiplexer reduces circuit costs, it does not reduce use of computer ports. High-speed circuits using multiplexer equipment are often referred to as backbone (or trunk) circuits. Chart 3 illustrates the configuration of a network using multiplexers and a backbone circuit.
Components of a Communications Network Based on a Backbone with Multiplexers
As the number of users and their geographical distribution increase, the need for an even more sophisticated data communications network arises. The next step in design of a communications network is to install strategically located communications nodes. Multiple users within a geographical area are then connected through local access circuits and equipment (an access network) to one of these communications nodes. Adjacent nodes are linked to one or more high-speed trunk circuits and ultimately to the electronic payments computer. These nodes and trunk circuits also form a backbone network.
A sophisticated backbone network based on nodes allows multiple users to share trunk circuits and provides multiple paths over which data can be routed to provide alternatives should a particular circuit fail. The equipment at each node selects the telecommunications path from that node to the ultimate destination that makes the best use of available capacity and routes the data over that path.
Networks that rely on nodes and incorporate multiple paths are referred to as packet networks, because they divide a stream of data into small units, or packets, for transmission across the backbone network. Typically, the computer system requires only one port connection to each communications node, unlike networks based on dedicated circuits or multiplexers, where separate computer ports are required for each user. Packet networks reduce circuit costs as well as computer port costs while providing improved network reliability because of their ability to route data over alternative paths. Chart 4 illustrates the components of a packet network and how these components are connected.
Rules, called network protocols, are required for the operation of a communications network. There is a variety of protocols, some of which are proprietary, such as IBM’s System Network Architecture (SNA), and are used by individual computer manufacturers. Some protocols, however, such as X.25, are consistent with emerging international standards.
The primary international standards organizations are the Consultative Committee for International Telegraph and Telephone (CCITT) and the International Organization for Standardization (ISO). These organizations have defined a broad set of communications standards that address various types of communications systems, including electronic mail, file transfer, and transaction processing, any of which might be used for different payment applications. In any event, the participants in an electronic payment system must follow the same protocols in sending data between terminals and computers over a network. If different protocols are used, translation devices called protocol converters are required to ensure that the integrity of the data is maintained while traveling over the network.
The most widely used form of packet network today is based on the international CCITT X.25 standard. Proprietary packet networks based on the IBM communications architecture, SNA, are also in wide use. Other, newer, packet technologies that support much higher transmission speeds are now emerging.
A packet network can be either private or public. In a private packet network, the payment system provider owns and operates the network. Installing a private network is expensive and requires a great deal of technical skill to implement. The benefits of a private network include good security and guaranteed throughput capacity, since other organizations are not permitted access to and use of the network. In a public packet network, the payment system provider will lease capacity from a public network vendor over facilities that may be shared with a number of other users. Initial costs are lower and the vendor has responsibility for operating the network and providing the necessary technical skills. However, security may be weakened and throughput capacity may be adversely affected by other users.
Three different types of trunk circuits are used in communications networks: terrestrial, microwave, and satellite. Terrestrial circuits, or ground lines, are usually leased from specialized providers of telecommunications services and take the form of traditional copper wires or fiber-optic lines. Microwave circuits rely on ground relay stations whose range is limited to a maximum 15-mile line-of-sight distance, so that a series of relay stations are needed to cover longer distances. Weather conditions can also adversely affect the quality of microwave signals. Satellite circuits are typically used for long-distance transmissions. Because of the distances involved, propagation delays of about one-fourth of a second result, which require the use of special protocols that adjust signals for the delay. Most modern protocols, including X.25 and SNA, are designed for use with satellite telecommunications.
Four key factors must be carefully considered in the design and implementation of a communications network to support an electronic payment system. First, the quantity of data traffic must be determined and the network properly sized to support peak transmission volumes. Insufficient capacity will result in less than satisfactory delivery and response times for the users.
Second, fallback plans and procedures must be in place to provide backup for circuit and equipment failures and these plans should be exercised regularly. It is common to use switched circuits provided by the public telephone network as the backup communications path for networks based on dedicated circuits. If terrestrial circuits are used, redundant and diversely routed ground cables are also recommended. Spare equipment, such as modems and encryptors, should also be readily available. In a packet network, the communications nodes should include redundancy so that the failure of any single component does not disrupt the operation of the entire node.
Third, the communications network must be flexible enough to accommodate changes that will occur as a result of volume growth, an expanded user community, and the introduction of new payment services. Once in place, it is very difficult to modify the design of a network. It is therefore essential that future needs be anticipated in the initial network design. Finally, a communications network must be carefully and continuously managed to ensure proper operations, prevent problems, and diagnose and resolve problems quickly should they occur. Network management is a highly technical discipline that is essential to the effective operation of the electronic payment system.
Capacity Management
Capacity management is the discipline for ensuring that adequate data processing resources are available to meet performance requirements for payment system applications. The primary function of capacity management is to exploit efficiently the capabilities of the computer hardware, software, and telecommunications utility to meet the requirements of the user community. The capacity management process can be divided into two major subsets: performance tuning and capacity planning.
Performance tuning involves maximizing overall performance of current operations through fine-tuning of the individual hardware and software components of the processing complex. Such tuning is usually necessary in response to performance problems arising from unforeseen changes in the nature of the workload.
Capacity planning is a complex, iterative process, which anticipates and accounts for changes in business demand and available automation technologies to configure systems to meet future requirements. The purpose of capacity planning is to ensure that adequate automation resources are available to process a given workload and to provide the user with an adequate level of performance both in the current environment and for the foreseeable future. The capacity planner uses mathematical tools to determine the rate of resource consumption and to predict the anticipated effects of future business requirements on that consumption rate.
The result of proper capacity planning is that an appropriate amount of automation resources will be available to support the daily processing requirements of the business, with just enough excess processing capability to handle seasonal and unanticipated peaks in demand. Too little capacity means that the performance of the system will be inadequate. Too much capacity, on the other hand, is a waste of money.
There is a longer-term dimension to capacity planning, whereby work is done with the users and the applications developers to project the future automation requirements of the organization. By mapping anticipated future demand against currently available resources, potential performance bottlenecks and/or degradation points can be identified. Using modeling techniques, capacity planners try to determine the optimal mix of additional resources and/or new technologies that will most efficiently meet the changing workload demand curve.
An effective capacity planning program provides management with the necessary lead-time to plan adequately for the future and to make rational, economical investment choices from the alternative solutions developed by the planners. As such, capacity planning should be considered an integral part of any organization’s strategic business planning efforts.
Managing Automation Resources
The data processing and data communications infrastructure described above must be managed if it is to perform up to expectations over time. Continuity of operations is a major management objective in data processing and data communications operations. The computers, communications, and related systems used to process payments need to work all the time, not only when things go right but also when the systems are subjected to stress, even in cases where certain components of the infrastructure fail. No systems are absolutely fail-safe. Equipment malfunctions and people make mistakes; mechanisms must be in place to compensate for problems when they do occur, and to fix them quickly.
Careful management must start with application development. Along these lines, development of any system must adhere to the principle that one can only program what one understands. Those responsible for the payment system must have a solid, practical understanding of the day-to-day business combined with a long-range vision of how the payment system operates. This understanding and vision needs to be described clearly and in sufficient detail so that those who are proficient in technology can produce a conceptual design describing how the processing system will work and how it will appear in business terms to its users. This conceptual design is then used as a base for the software developers to develop and implement the system.
A strong project management team must be headed by a master architect. This master architect must know both the payments business and technology. He or she must be a capable manager who is able to deal with all levels and types of people, including vendors and suppliers.
In developing a new system, it is important to avoid grand schemes that make the system unduly large and complex. Developing too grandiose a system is a pitfall that can result from sincere attempts to satisfy every constituency at the initial implementation. This “all or nothing” approach most often results in the latter—failure to implement successfully any system at all. Many examples exist of development projects that have been canceled after large sums of money have been spent. Employing a gradual approach to system development, relying on prototypes, and limiting introduction of the system to a small number of users and then gradually enlarging the number served enhances the chances of success.
Developing a new process for payment systems may take time, as there are no shortcuts. All involved should have realistic expectations, and having the right focus and management team is all important.
To ensure that technical operations perform flawlessly, the initial implementation of new systems must undergo vigorous testing and certification. Once the testing is completed and a system is in production, all subsequent changes to the technical platform must be rigorously controlled to ensure that the proposed changes do not adversely affect the proper functioning of the system. Careful management will help ensure that initial certification and control over subsequent systems changes are properly carried out.
All components of the computer environment are dynamic by nature. Each day modifications in some form are introduced into production environments. Such modifications arise from changes in business functions and/or changes in technology. As a result, it is necessary to establish and delineate a controlled process, including both policies and procedures, by which changes are introduced to transform the sound, steady-state production environment into a “new” production environment that is equally or more reliable.
Changes to production systems should undergo demanding quality assurance testing. Test conditions must replicate the production environment as closely as possible, and tests should be conducted at both the technical and business levels. Functional testing of business requirements within application systems should be the responsibility of the user community while testing of environmental software and hardware changes should be done by automation technicians.
When changes are made to environmental software or hardware, testing of the application software should also be conducted to ensure that the interaction between the environmental and application components continues to function properly. Test scripts must be developed that cover all possible potential problems. Adequate testing and strict change control procedures are essential for high-availability systems, such as those used to process electronic payments. Indeed, the cause of most systems failures is poorly controlled change, followed by human error, and finally faults in the software, hardware, and infrastructure.
One method for ensuring high availability is to automate as much of the operation of the computer system as possible. Many of the routine steps in starting and operating the computer system are repetitive. These steps and the logic for decision making within the sequence can be programmed in advance. Once tested to ensure that the instructions perform the operations that they are intended to accomplish, the sequence can be initiated by a computer operator and from that point the software takes over, replacing the manual actions formerly performed by the computer Operators. Automated operations greatly reduces the risk of human error and improves the total reliability of the system.
Redundancy in computer systems is another method to ensure high availability. Redundancy or “backup” can be established for any element of the system whose individual failure would cause the entire system to fail. Such backup includes, but is not limited to, power supply, water supply, computers and peripheral devices, and data bases. In some cases, separate, redundant physical facilities housing a backup computer system may be deemed necessary to provide the required degree of assurance for uninterrupted service.
Whatever the extent of redundancy, backup systems must be periodically tested so that they are in an immediate state of readiness if they are needed in an emergency. Such tests should approximate the true production environment as closely as possible. In some installations, actual production is periodically alternated between the primary and backup systems so that the distinction between the two systems depends simply on which system is operating at a point in time.
Invariably, regardless of the redundancy of systems, problems will occur that will threaten or actually interrupt the continuity of computer service. It is essential that a methodology for problem management be established whereby each problem is recorded and analyzed in detail, to ensure that resolution is completed and changes have been made to prevent the problem from recurring.
Hardware problems, when they do occur, require the availability of trained personnel who have the skill to fix equipment malfunctions quickly. However, the most difficult problems to fix are problems occurring within the environmental or application software. The people who are most capable of fixing software problems are the ones who actually developed the software. The developers know best how the software works and they can more easily diagnose and fix problems than can people who did not take part in the development. Therefore, access to software developers must be available at all times.
Critical payment systems must operate well for nearly 100 percent of the scheduled operating hours, especially during times of financial crisis. Operational problems cannot be allowed to compound credit or liquidity problems in the marketplace. Loss of confidence resulting from operational problems, as well as other reasons, can be difficult to regain.
Operational problems can arise from many sources, as two real-life examples will illustrate. In November 1985, a major clearing bank for U.S. Government securities experienced an application software problem that prevented it from sending securities and receiving payment in return. By the end of the business day, the institution had amassed a net liability of about $23 billion as a result of its securities clearing problem. The Federal Reserve, in its role as lender of last resort, was obliged to step in and provide funds so that the institution could cover its position. Although the integrity of the payment system was maintained, a costly lesson was learned—a seemingly small application software problem resulted in a major disruption to an important financial market and resort to the Federal Reserve’s discount window, costing approximately $5 million in interest charges.
During August 1990, a major power failure in lower Manhattan left much of the New York financial district without electrical power for up to a week. Fortunately, owing to recognition in the United States in recent years of the need for improved computer backup, the financial community as a whole coped with this problem extremely well. Although many financial institutions had to relocate their computer operations to backup sites, payment system services were generally maintained throughout the crisis. In many ways, this incident served as a “rite of passage” for many institutions, which had developed detailed contingency plans and practiced them repeatedly over the years. Before the power outage, some financial market participants had even begun to question whether the expenses involved in maintaining elaborate backup systems were cost effective. The August 1990 power failure served as a dramatic reminder to all parties why costly and time-consuming backup systems and contingency plans are a worthwhile investment.
Procurement
Procurement is a crucial aspect of the management and operation of payment system technologies for at least two reasons. First, with so many vendors and different types of solutions available, it is important to pick the one that will best meet the business requirements at hand. Second, investment in these technologies can involve very large amounts of money. A well-organized and competitive bidding process will help ensure that the maximum value is returned for the investment.
There are three basic approaches to acquiring and operating systems used for payment processing. These are
-
(1) “In-house” development of systems and operation of equipment to support the systems.
-
(2) Contracting with specialized firms to develop application software, keeping operation of the system “in-house” after development has been completed—commonly referred to as the turnkey approach.
-
(3) Contracting with others, such as specialized firms or associations of financial institutions, to develop and operate the system. This approach is referred to as outsourcing.
Several risk issues must be addressed as part of the technology procurement process whose management will help determine whether the system should be managed in-house or contracted out to a third party. An early decision that must be made in each particular situation is to determine the proper balance between internal and external development and operation of the system, taking into account business and policy objectives (especially reliability and availability requirements), cost-effectiveness, and the desired level of direct control over risk factors.
There is significant risk in the development process itself. If an outside organization is relied upon for development, does the organization selected have the technical experience, people, and financial resources to live up to its commitments? Can it deliver the product as contracted for, on time, at the negotiated price, demonstrating all of the specified functionality and performance requirements?
Once a system has been developed, tested, and implemented, operational risk must be controlled. Operational risk is defined here as the risk that the system can—and usually will—break down for reasons ranging from software glitches to hardware or infrastructure failures to acts of God. The resources required for rapid problem resolution must be available quickly, whether development is in-house or contracted out to a third party. The system’s performance over time is another risk factor, as new program code is often grafted on to the original system to provide added functionality or, perhaps, the volume of transactions increases beyond the capacity limits of the system as originally designed.
Operational risk is increased if a third party service bureau is relied upon to run the payment system operation. In this case, by definition, the owner of the system thus places itself at arm’s length from the operation and must rely upon the service bureau management’s assurances that the system will be operated and supported conscientiously by technically qualified personnel on appropriately configured equipment. In this situation, the owner must have a great deal of trust in the service bureau, regardless of how many protective clauses are included in the service agreement. In many, if not most, cases of severe operational failure, the business costs will be too severe to overcome by the time contract remedies can be invoked, and a cash rebate is scant comfort if the payment processing business is severely damaged. Therefore, it is generally recommended that “mission-critical” lines of business—and payment systems usually fall into this category—avoid reliance on service bureaus.
Another critical risk that must be guarded against is fraud. It is absolutely necessary in any payment system to ensure that only properly authorized transactions will be processed. If a fraud is successfully perpetrated using a given payment system, the owner of that system will face not only the immediate monetary loss from the fraudulent transaction(s), but also a loss of business confidence engendered by questions about the integrity of the system.
Fraud can result from not demanding that adequate access controls and quality/integrity checks be designed into the system. Further, the insertion into the system of “trap doors” and “trojan horses” by those responsible for writing the programs must be zealously guarded against. This is even more difficult to control if there is a contract with an outside organization for programming and design services, since the owner is not in a position to supervise closely the work being done or to ensure that adequate checks are included in the design process.
Most consulting and programming organizations will refuse to turn over the source code for the programs they produce. This makes it all the more important to ensure that a verifiable source code escrow clause is part of the contract entered into with any outside organization for programming services. This clause should provide for access to the source code in the event of an emergency. It has the essential added benefit of making the code available to the payment system owner if the contracting company goes out of business or refuses to provide support services according to the terms of the contract.
Examples of the three approaches to procurement of application software and operating services exist today in developed economies, although in-house development and operations is common for large-value transfer systems. For example, in the United States, the Federal Reserve has developed and operates Fedwire. Similarly, the New York Clearing House has developed and operates CHIPS, while in the United Kingdom CHAPS was developed and is operated by an association of large banks. In Switzerland, SIC was developed and is operated by Telekurs.
Bank participants in electronic payment systems, including large-value transfer systems, often obtain their application software from third party vendors, but operate the system in-house. For example, it is common for banks in the United States, including institutions that have high volumes and values of transfers, to purchase the application software they use to process Fedwire and CHIPS payments from specialized software development houses. Most banks, however, operate the software in-house.
With regard to the acquisition of data processing hardware, a formal request for proposals (RFP) approach is recommended. Many vendors are capable of delivering and supporting the technologies employed by payment systems, so a variety of choice is generally not a problem. Organizing the procurement process so that decisions are made with impartiality and vendors are encouraged to compete with each other on the basis of price and performance makes it easier to arrive at an optimal acquisition decision, especially in an environment where there is large variety.
One of the keys to a successful procurement is to establish clear evaluation and selection criteria—cost is only one criterion, and possibly not even the most important—and to include the criteria in the RFP document. This establishes a level playing field for all bidders and generates vendor confidence in the impartiality of the procurement process. An open, arm’s-length, competitive procurement is a primary ingredient in ensuring an acquisition that meets the organization’s needs and maximizes the potential return on investment.
One exception to the recommended use of the RFP approach to procurement is in the acquisition of application software. Although an RFP can be developed for application software acquisitions, acquiring application software is much more complicated than acquiring hardware. There are additional pitfalls in procuring application software. The functional and performance specifications for software are complex subjects, easily prone to misinterpretation. The organization must, for all practical purposes, complete the detailed design specifications for the application software and issue these specifications as part of the RFP. And, if the intended acquisition is for an existing software package rather than completely new programming, the amount of customization that will be necessary to adapt the package to meet the organization’s requirements must be analyzed. Such activities are difficult to accomplish under the strictures of the RFP process.
Conclusions
The development, operation, and modification of payment systems technology is a complex technological challenge that requires careful management. Large sums of money are involved in the technical system and the safe and reliable operation of the system helps promote confidence in the payment process. Because of the expense involved, the technology underlying payment systems must be managed efficiently. Establishing and following an arm’s-length, businesslike relationship with vendors is an important part of efficient management. Nonetheless, because of the critical role played by the data processing infrastructure, it is also important not to skimp on the system that is put into place. In particular, payment system managers should be willing to invest in the backup systems that can keep the payment system in operation even in the event of the failure of a major component of the primary production system.
Responsibility for the operation of the data processing infrastructure, especially for large-value transfer systems, is generally exercised by the owner of the system. The major systems in the world also tend to develop their own application software. Banks connected to these payment systems also tend to take responsibility for day-to-day operations but often procure their application software from specialized software houses. Careful procedures can help ensure the integrity of the systems that are procured from third parties.
Perhaps the single most important aspect to the successful operation of a payment system is the quality of the dialogue and partnership between the business users of the system and the technology managers. Each has a unique contribution to make, during all phases, including design, operation, and systems modification.
