Instant issuance is emerging as a key element in branch transformation to respond to the on-demand expectations of customers. Financial institutions are discovering that an in-branch instant issuance solution quickly delivers on service and speed, expediting cards into cardholder hands. However, questions often arise when choosing between delivery models.
There are two main categories of instant issuance: Software-as-a-Service (SaaS), where the software is a cloud-based “cloud” service and Software for Purchase (SFP), in which the institution owns the server and software. CPI highlights the differences between the two models in this white paper.
In brief, I have outlined how a SaaS instant issuance solution model works.
What is “Software as a Service”?
Software as a Service is a cloud-based application hosted by a third party and delivered via the internet. “Cloud-based” is an interchangeable term often used to indicate the software is stored in the “cloud” (on a third-party’s servers). Access to the software is gained through an online portal. Common examples of SaaS programs would be internet search engines, social media platforms, and an assortment of online tools, such as banking applications, payroll services, learning systems, service desks, and many others.
A SaaS instant issuance model offers the ability for financial institutions to use an internet connection to create and print a card order to a designated printer, in branch. The leading benefit of a SaaS solution, like CPI’s Card@Once®, is that there is no software or servers for the issuer to maintain – the solution provider securely manages it all. Once network settings are established, there is no need for additional IT staff or resources.
What network set up is needed for SaaS instant issuance?
The SaaS provider directs the settings to access their servers for branch printers to receive remote print commands. Typical network installations can require Dynamic Host Configuration Protocol (DHCP) to ensure each printer has a unique IP address. A reputable instant issuance supplier will provide a set of instructions to access available internet ports, and will assist staff in establishing connectivity.
When a card print is requested, an encrypted message travels via the internet to the remote servers where calculations are performed and a secure print command is then sent out to branch printers.
Who is responsible for the keys?
The SaaS solution provider owns the server and Hardware Security Module (HSM). Key components ship securely from processors to the SaaS vendor and are downloaded by experienced key custodian teams. Keys are stored within facilities that meet PCI compliance for key control and the supplier accepts responsibility for security of the keys and software updates.
The importance of the responsibilities around cryptographic keys cannot be overemphasized. All financial institutions that offer payment cards arrange for encrypted keys from their processor for their specific Bank Identification Numbers (BINs). Production keys are required for each card print to calculate the correct values that appear on the card (i.e. CVV2 or security code that appears on the back of the card). Cryptographic keys must be correctly loaded and used for each print in order for cards to validate. Having a team of experts from a solution provider to handle the HSM and the keys is a major advantage.
What is a plug-and-play solution?
For banks and credit unions that have limited IT resources, a SaaS solution can be attractive because it offers “plug-and-play” availability. Typically, the term plug-and-play refers to a piece of hardware that can be used immediately upon plugging it in without additional programming.
With Card@Once, software programming is already complete, so printers arrive at the branch ready for an Ethernet connection to access the internet and a plug for an electrical outlet. For security, a specialized security key is preprogrammed to match the printer. The key ships in a separate package and must be used to verify authenticity. Once the verification step is completed, card printing can begin right away.
To contrast, with a SFP set-up, the delivery of the dedicated server, HSM and printers is the beginning of the programming process. The financial institution is then responsible for the install of the card printing software, the secure download of key components, all network implementation and the onboarding of employees.
In conclusion, it is important to note that the needs of every financial institution are different, and there is no “one-size-fits-all” solution. However, for decision-makers tasked with finding an instant issuance solution that is the best fit, knowing these terms and having a deep understanding of the options can go a long way towards feeling confident about your decision.
Rob Dixon is the Director, Product and Business Development at CPI Card Group