January 2025 – Mypinpad

What is the secret to hyper growth success for leading neobanks?

Posted on January 27, 2025March 10, 2025 by catherinet admin

Barry Levett

CEO

Anyone taking a close look at some of the larger digital-only neobanks today, cannot fail to be impressed by their speed of acquisition of new customers. For example, Nubank has grown from a standing start in just over 10 years to become a global player—with customers in Columbia, Mexico, Brazil. In that time, it has taken strategic stakes in other neobanks to increase exposure to rapidly growing consumer banking markets in Southeast Asia, India and South Africa.

Nubank moved into profitability in 2023, 10 years after launch—recording a net profit of over US$1bn that year. By that stage, it already had over a 100m customers! Following this move into colossal profitability, its parent Nu Holdings took a US$150m stake in the South Africa-headquartered neobank Tymebank in December 2024—thereby fast tracking exposure to the South Africa and Southeast Asian markets. In a separate deal with Indian banking start-up Jupiter, it gained exposure to the burgeoning Indian banking market. So, less than 12 years on since it launched its first credit card offering, Nubank has become the largest fintech bank in Latin America as well as a global player listed on the New York Stock Exchange valued at over $50bn.

Egg broken up

Compare that with one of the stars of the first wave of ‘digital banks’ (a ‘Digital Bank 1.0’ if you like) Egg. In Egg’s first two years (1998-2000), it signed up just two million customers. Although it briefly moved into profitability during late 2000, it later clocked up large debts during a failed expansion into France. Having put on just another million customers over the next six years, Prudential delisted Egg in 2006—buying back all its shares to exit the LSE. It then sold Egg to Citigroup for just £575m the following year. Citi broke it up—selling off different parts of Egg’s business to Yorkshire Bank and Barclays. So, within 10 years of launch, the brand had all but disappeared from view.

Digital Bank 2.0

What then is the key difference between those Digital Bank 1.0 groundbreakers like Egg, Cahoot (owned by Abbey National), and Smile (owned by Co-op), and the digital-first neobanks (or Digital Bank 2.0 players) that are now sweeping the globe?

It is tempting to see the neobanks as simply being ‘right place, right time’. All the digital infrastructure is finally in place. Nearly everyone has a smart phone now, and fast broadband and Wi-Fi ubiquity definitely helps. Market penetration of mobile banking is almost total for everyone under the age of 60 now. Mobile apps are slick and offer strong cybersecurity and great customer experience. You can flash your phone at payment terminals to pay instantly via Tap to Pay. There is open banking which has made connectivity and integration between apps and moving money around much easier. Wallets enable multi-currency payments at low cost in the blink of an eye.

Operations key to profitable scaling

All of this is true. However, for me, neobanks’ success today comes down to one core thing: a relentless focus on operational efficiency and specifically a focus on rapid and efficient onboarding of new customers. How else could Nubank put on 100m customers in 11 years (they reached that important milestone in May 2024)? How else could they claim those customers in several countries and on three different continents, admittedly achieving this through deploying surplus capital intelligently to buy valuable stakes in key regional players?

Client onboarding focus

The key to speed to market and rapid customer acquisition is really slick digital-only onboarding processes. There is a world of difference between the speed and customer experience associated with being onboarded into a neobank, by comparison to a traditional bank even today, and interestingly at the dawn of the new millennium Egg could not cope with the speed of client acquisition in its early years, and went digital-only for new credit card applications to slow acquisition down would you believe!

One of the problems Digital Bank 1.0s had was that they were maintaining vast contact centres to offer telebanking as well as internet-based banking alongside it, and mobile banking did not work well until 2010 after Apple iPhone 4 came out, and both Android 2.2 and iOS4 mobile operating systems came through.

Fifteen years on, over US$14 trillion worth of transactions was completed via mobile banking apps and e-wallets in 2024 alone—that’s 25 per cent growth just in the last year! If you take the key demographic snapshot of Millennials, born between 1981 and 1996 and aged 29 to 44 years old today, 78 per cent of them use mobile banking as their primary banking method. And many of them are now reaching their optimum earnings levels so their wallets are getting larger. For Millennials, banking needs to be fast, convenient and mobile-first.

Digital-only processes

No surprise then that most new neobank customers complete their applications for new accounts entirely on their smartphones. It makes sense as that’s where they are doing most of their transacting and banking activity in general once they have their virtual cards on their phones. Many don’t even bother taking the option of ordering a plastic bank card. They may not even have a physical wallet to put it in.

Neobanks have focused from Day One on the quality of their mobile app technology, as well as the operational efficiency and risk analysis which powers it. In our own experience working with Nubank directly, neobanks’ IT systems are so well tuned that they can do near real-time digital-only onboarding.

4 keys to slick client onboarding

There are perhaps four key elements which make for slick digital-only onboarding by leading neobanks today:

1. Ready access to foolproof external databases for checking identity, credit referencing, as well as running Anti Money Laundering (AML) and Know Your Customer (KYC) checks.

2. Ability to pause onboarding and pick up later where you left off. Remember most customers are going through their onboarding on their mobiles—so they may have to take a call or break the process to get off the bus or meet someone.

3. Offer a clear onboarding journey which shows where you are in the process, and what you still need to complete to take delivery of your virtual card.

4. Such is the digital-only focus, that receiving a physical credit card is often an optional extra demanding a different and much longer process. So, you can go live with your virtual card and attach it to your Apple Pay or Google Pay account in your iPhone Wallet within the hour, whereas it might take a couple of weeks to receive the good old fashioned physical card.

Client onboarding is the ultimate moment of truth for a neobank which hasn’t necessarily had time or resources to build its brand in the traditional way. It’s during this vital journey, that customers need to be moved from relatively low, or sometimes zero trust in the brand, to full 100 per cent trust. If the processes are slick and you can get them transacting on their phone within the hour, new customers cannot fail to be impressed. And if they are really impressed, they become advocates for that brand over another neobank vying for the consumers’ attention and wallet share.

Neobanks have built their operations to be fully streamlined from Day One. By contrast, traditional banks which have been streamlining and digitising operations for years. However, most are still not as slick as the neobanks in terms of onboarding new customers, or even opening new accounts for existing customers.

The focus for all companies which want to grow fast and profitably is to build your business around rapid, repeatable and unbreakable operations. This is the lesson that the likes of easyJet, Nando’s, McDonalds and many other global business success stories of the last 20 years or more, have already taught us. Successful neobanks are applying this thinking rapidly and effectively to transform the consumer banking world equally rapidly.

PCI MPoC certification enhances value offerings for Mypinpad’s clients

Posted on January 22, 2025January 22, 2025 by mpp admin

UPDATE 22 January 2025: We have expanded our PCI MPoC certification to include support for manual PAN entry and Secure Card Reader for PIN (SCRP). These enhancements address key merchant needs by enabling secure manual input of card numbers in scenarios such as damaged cards, remote transactions, or backup processing. Additionally, SCRP offers a robust solution for secure PIN entry via external card readers, ensuring compliance and flexibility for high-value or PIN-required transactions.

At Mypinpad, we remain committed to advancing payment security and delivering trusted, innovative solutions that meet the evolving needs of our customers.

24 May 2024, United Kingdom – Mypinpad, a global innovator in mobile card payments acceptance and identity authentication software solutions, is happy to announce that its isolated Software Development Kit (SDK) has achieved PCI Mobile Payments on COTS (MPoC) Software certification, demonstrating its commitment to providing the highest standards of security and innovation in mobile payments acceptance solutions.

The MPoC certification is awarded by the Payment Card Industry Security Standards Council (PCI SSC) and represents the latest security standard for mobile payments on Commercial-Off-The-Shelf (COTS) devices, such as smartphones and tablets. This certification underscores Mypinpad’s dedication to ensuring that its mobile payment solutions meet the rigorous security requirements necessary to protect cardholder data and transactions in today’s dynamic digital landscape.

“We are thrilled to have received the PCI MPoC Software certification for our isolated SDK which allows our clients to quickly roll out new apps. They can focus on great-looking apps while we take care of the security,” says Barry Levett, CEO at Mypinpad. “This achievement not only validates our ongoing efforts to deliver secure and reliable mobile payment solutions, but to do so in a way that is simple for clients to implement and roll out. Our clients and their customers can now have even greater confidence in the safety and integrity of their mobile transactions.”

Mypinpad’s certified mobile payment solutions offer several benefits to clients:

· An isolated SDK which can be embedded into merchant apps for speed, full brand control and simple implementation

· Elimination of scheme waiver requirements or rollout limitations

· Provision of local and remote attestation and monitoring

· Additional support for Level 3 and MPoC Solution certifications

As a pioneer in mobile payment solutions with a global track record of over 1.6 million merchants, Mypinpad leads the way in innovation, committing to deliver next-generation payments technology that meets the evolving needs of merchants and consumers worldwide.

See our listing on the PCI Security Standards Council website here.

Standards must deliver more benefits to the market they serve than they cost to implement, or risk becoming irrelevant

Posted on January 6, 2025February 13, 2025 by catherinet admin

Barry Levett

CEO

On the 26th of November 2024, the PCI Security Standards Council (PCI SSC) published Version 1.1 of the PCI Mobile Payments on COTS (MPoC) Standard, designed to support the evolution of mobile payment acceptance solutions. It’s worth taking a closer look at the key changes which Version 1.1 delivers because, from Mypinpad’s perspective at least, it represents some but not all of the much needed rolling back of Version 1.0’s standards requirements. More work is required to make the next version of MPoC (Version 2.0) meet the right balance of cost and benefit, making it commercially competitive for most industry participants.

There are 10 key changes noted in PCI SSC’s accompanying blog post on the Version 1.1 changes. I’m picking just three of these changes because they illustrate the point I’m trying to make here, in my first blog of 2025:

Removal of Secure Software and Kernel functional validation requirements
Updates to self-testing requirements for MPoC SDK integration
Allowance for FIPS 140-2 L2 HSMs (if implemented in controlled environments)

Some changes such as item #1 correct excessive scoping which has become somewhat common. Kernels are handled by other industry standards. So, inclusion in the MPoC scope was a form of overreach and resulted in dual work by industry participants.

Other changes such as #2 and #3 stem from feedback from industry participants explaining the operational and implementation aspects of the requirements. Often, standards are written from the point of view of minimising security risk, but without considering the operational and implementation costs.

My view is that as a key point of principle, the cost of every requirement in every standard needs to be measured against the actual benefit. If costs of implementing any requirements are higher than the benefits they deliver, they should be removed, pure and simple. Simply put, these elements of MPoC added unnecessary compliance requirements and costs to technology providers which only served to stifle innovation. Ultimately, they cost us (and our competitors) far more than the benefits they brought to the market as a whole.

The PCI SSC (and indeed all standards bodies) need to remember that, unlike industry regulators, they cannot mandate that their requirements are applied right across the market. If market participants find they are costing more to implement than they deliver in terms of benefits to them and users themselves, the industry will simply navigate around them.

We have seen this over the last 12 years or more with the proliferation of scheme-specific waivers to try to fix problems with excessive standards requirements, especially by PCI. Virtually every deployment of SoftPOS was done using scheme waivers rather than under the excessive CPoC standard. PCI is slowly learning and we hope this learning is not just continuing but accelerating.

Lots of standards body options for software providers

It is also worth remembering we have an array of standards bodies to draw on for software providers which want to ensure their software is bug free, highly secure and yet both highly integrate-able and scalable. A quick Google of standards bodies that govern the quality of software writing and development reveals four bodies immediately. There is ISO (International Organization for Standardization), and the IEEE (Institute of Electrical and Electronics Engineers) which provides standards for software engineering practices. Then there is CISQ (Consortium for Information & Software Quality) which provides standards for measuring quality of software.

There are another set of standards bodies dedicated to building software that is highly secure. Again, ISO has standards for that. There is also the IETF (Internet Engineering Taskforce) which develops and promotes voluntary Internet standards, including those related to cybersecurity.

NIST (National Institute of Standards and Technology) offers guidance on managing and reducing cybersecurity risks; and for tech firms proving in-house IT capabilities a SecurityScorecard ‘A’ rating is highly coveted. It proves to the outside world that they have strong in-house cybersecurity skills and tight cybersecurity systems to protect the critical data it holds for its clients.

Benefits of ISO 27001 certification

Mypinpad has elected to put itself through ISO 27001 certification. This standard is recognised around the world—well beyond the payments market. It helps us in several ways:

Enhanced Security: ISO 27001 provides a comprehensive framework for managing information security risks, helping software businesses protect sensitive data from cyber threats.
Competitive Advantage: Certification demonstrates a commitment to security, which differentiates our software business from competitors and attract security-conscious clients.
Regulatory Compliance: It helps ensure compliance with various data protection regulations, reducing the risk of fines and legal issues and speeding up onboarding processes with solution providers.
Improved Processes: Implementing ISO 27001 can streamline and improve information security processes, leading to more efficient operations.
Customer Trust: It builds trust with customers by showing that the business takes security seriously and has robust measures in place.
Market Access: Certification can open up new business opportunities, especially in industries where data security is critical.

We go through standards requirements to show our customers that we make the grade and ISO 27001 certainly helps in this regard. We find it easier to work with larger players as a result of it. Reaching and penetrating new payment market opportunities become easier and quicker.

Standards bodies must be fleet of foot

Rounding back to where this piece started, it is good news that PCI SSC has rolled back some of its more onerous MPoC requirements published just over two years ago in Version 1.0. However, it is also clear that with so much innovation in the payments space now, they will need to be more ‘fleet of foot’ to keep up, and flexible enough to adjust standards requirements when it is clear that technology players are not applying them, or worse, are looking elsewhere for standards certifications or scheme-specific waivers. All standards bodies must remember that their requirements must deliver more benefit than the cost that they pass onto market participants wishing to be compliant with them.

It is critical for them to listen to the market and have the agility to adjust. Leaving it two years to go to a new version of a key standard does not feel agile enough to me. They need to be constantly reviewing standards take-up. They must listen, then adjust and update their standards requirements and issue new versions much more regularly, much like what a software house or SaaS provider does today. Without this iterative approach, it is difficult for them to remain up to date and, ultimately, relevant in a fast-paced market like digital payments.