As Cloud E-Commerce Spreads, Risk Becomes Big Business

Cloud-based technology is bringing mobile shopping and payments to more companies, but it also increases risk due to the complexity of how these more open and remote technology tools get used.

Google plans to invest $625 million to acquire Apigee, a company that specializes in managing application programming interface (API) technology, a deal that's expected to close by the end of this year. Developers use APIs to integrate with external apps to drive myriad digital services, such as allowing sellers to embed payments and other merchant services into their mobile apps or websites. And APIs are also being used to enable security, such as device fingerprinting for merchants.

Both Google and Apigee contend APIs are complex, and require users to consider elements well beyond the task they wish to accomplish. The crux of Google and Apigee's collaboration will be managing APIs for e-commerce and other business tasks for payment companies and other verticals.     

"If a company is offering an API for something as sensitive as payments, they have to be able to answer the questions such as who owns the API, run owns the application, and does the company understand all of the risks it is taking," said Greg Brail, the chief architect of Apigee, a company that provides API services.

Brail spoke with PaymentsSource before Google announced its planned acquisition, in an interview focused on Apigee's technology expansion strategy. Google did not return a request for comment, and Apigee's comments on the Google deal were limited to prepared statements Apigee and Google posted online.

"Offering a good API goes well beyond having the company develop and publish a performance specification of the interface. A good API needs to support security, give developers the freedom to work in the development environment of their choice and allow the company to continue to innovate in its service while supporting a stable interface to the apps and services using the API," said Google executive vice president Diane Greene in her prepared statement.

Apigee just finished work on a platform that helps manage API-powered digital commerce. The platform includes ready-to-use APIs, as well as a developer portal and preconfigured proxies that support authentication, shopping cart, marketing and onboarding.

"Companies that decide to use APIs, as opposed to fully outsourcing the user interface and the functionality to the provider, are retaining inherent risks associated with handling, processing and storing personal and payment data," said David Albertazzi, a senior analyst at Aite Group. "So they need to remain compliant with various regulatory mandates [such as PCI, GLBA or HIPAA], depending on the industry."

Typically, large companies with adequate staffing and infrastructure tend to favor APIs as they can deliver a richer, more integrated experience while smaller companies will fully outsource their solutions to providers so that they can displace the compliance costs and push PCI responsibilities to the vendors, Albertazzi said.

For digital payments, the challenge includes tracking data exposure and adhering to PCI rules, Brail said. "A company deploying an API has to take into account stuff like encryption, and what gets logged and when and what happens to data in the system," Brail said.

The security risk can be substantial. Symantec, for example, reports insecure APIs are one of the main security risks that cloud-delivered technology solutions face.

As such, API management is becoming a larger part of payments technology strategy. Technologists at Wipro recommend API management be part of the tokenization solutions that retailers use to protect digital transactions. And CAN Capital's James Mendelsohn reports more than half of merchants require guidance for not just API security, but also desire help with cloud-delivered technology decisions based on consumer shopping and payment preferences.