The benefits of professional SMS systems for banking

Recent developments in professional SMS systems have started to reassure banks and cardholders that the SMS platform can be used for credit card PIN distribution – an important function traditionally entrusted to the postal service, writes Silvio Kutic

Recent developments in professional SMS systems have started to reassure banks and cardholders that the SMS platform can be used for credit card PIN distribution – an important function traditionally entrusted to the postal service, writes Silvio Kutic

As well as being easy to deploy, this new generation of SMS systems can also reduce the time and cost associated with PIN delivery, making it much easier and quicker for customers to get set up with a new account or retrieve a lost PIN. It’s much cheaper for banks too. But, despite these benefits, there are still concerns around the security implications of using SMS for handling sensitive information.

Given the longstanding use of SMS for low level account activity updates and non-confidential banking messages, it’s easy to see why there are some concerns. Delivering account balance notifications through enterprise SMS systems – which has been done on a global scale for over a decade – is not the same as distributing payment card PINs over that same channel. It’s for this reason that PIN distribution solutions need to comply with additional security standards in order to protect sensitive customer information – and one of the more prominent among them is Payment Card Industry Data Security Standard (PCI DSS).

PCI DSS concerns prevention, detection and reaction to a large number of risks in merchant and vendor systems that receive, store or transmit payment cards data. It is a comprehensive international standard, and compliance for larger companies can only be validated by independent assessors. The PCI DSS standard covers a number of system aspects such as the access, storage and permissions hierarchy, and even recruitment of those who will be authorised to access relevant hardware and software components.

PCI DSS demands that only a small number of people are allowed access, anda security check is required for employees hired for key technical positions. The distribution process must also be designed in such a way that no one in an SMS vendor’s company can see the message.

Perhaps more importantly, meeting the PCI DSS standard also means that messages cannot be saved or kept in any part of the SMS vendor’s messaging system. This is incredibly important, as it’s easy to see how risk increases in line with the number of sensitive items stored at any point during the process. Even a very small error in the system architecture could pile up data, and if such a system dealing with 20m card numbers and PINs was breached, the potential damage would be huge. PCI DSS removes this concern. Once the storage of sensitive data has been made impossible, the risk associated with transmitting information in this fashion is decreased dramatically.

Of course, PCI DSS compliance does not and cannot provide an ultimate and unconditional guarantee that data breaches will never occur. However, with its processes and technologies validated against stringent security standards, there is an internationally accepted assurance that the company is not only fully aware and educated about the risks, but has also installed efficient systems and measures to mitigate them. PCI DSS has so far been the benchmark for this type of standards, so looking here for guidelines is a logical step for any technical provider building PIN distribution solutions.

Why does all this matter? SMS delivery offers unique advantages – it’s faster (the cardholder doesn’t get to wait for 2 weeks before their PIN arrives), it’s more intrinsically secure as less people are involved in the process and, ultimately, the whole thing is easier for both cardholders and banks. The system can also be devised to deliver PIN on an SMS demand, at the most convenient moment for the cardholder, which would be difficult to achieve with the postal service. On top of all that professional SMS systems demonstrate excellent security features, making this a great option for service quality improvement.