DX "attack" and "defense" that support daily life infrastructure. A person in charge who knows the site in Kansai talks about the "pitfalls" of digitization and security of payment slips

Social infrastructure (utilities) such as electricity, gas, and telecommunications are currently facing the challenges of "rising costs" and "cybersecurity".

Yugo Kihei, who supports infrastructure operators in the Kansai region with GMO Payment Gateway (hereinafter referred to as GMO-PG), says, "DX in this industry cannot be solved by simply introducing tools." He is looking forward to "offensive DX" from paperless to providing systems even though it is a payment processing company company (PSP), and "defensive DX" to avoid security incidents. The person in charge who knows the front line of the field will talk about the future strategy unique to infrastructure companies.

The reality of the Kansai utility industry and the "huge wall"

The anguish of the field that supports the living infrastructure

"I am in charge of operators in the so-called social infrastructure and utilities area, mainly major power, gas, and telecommunications companies in the Kansai area."

Since joining the company, Kihei has consistently engaged in supporting merchants in the western Japan area, utilizing his previous experience. Currently, I belong to the Public Interest and Public Sales Department, where I spend my days facing the challenges faced by infrastructure companies in the Kansai region.

What he is confronting is not just a "payment system implementation" level story. "The challenges that utility businesses are facing now are very complex. One is to break away from the 'paper' culture such as convenience store payment slips. The other is the constraints of a huge core system that has been in operation for many years."

GMO-PG Yugo Kihei

The Curse of a Giant Legacy System

Infrastructure companies such as electricity and gas are characterized by a long history of continuing their business for decades. Therefore, in most cases, the systems that manage customer management and billing are operated by so-called host systems using general-purpose machines (mainframes).

"If you want to introduce a new payment method, such as smartphone-based payment or credit card payments, you usually have to retrofit this host system, but this system is too huge and complex. Even a little tweaking can cost a huge amount of development costs and a period of several years. This is the biggest reason why many businesses are unable to embark on all-round DX."

Furthermore, as an industry-specific situation, the power industry is subject to a major institutional response in the form of physical separation of systems due to the separation of transmission and transmission. Companies are in the midst of a scrambling to complete this initiative, which strictly separates the systems of the power generation, transmission and distribution sector from the retail sector.

"First of all, we must continue to use the current host system until this system is renewed, but we cannot wait to reduce current costs and improve customer convenience through DX. How to solve this dilemma? That's my mission."

[Aggressive DX] The idea of reversing the system without touching the system and eliminating "paper"

payment model with "convenience store payment slip" that has reached its limit

Why is there so much call for "paperlessness" now? Behind this is the urgent cost problem. "Until now, the payment of utility charge has been 'convenience store payment slips' delivered to your home, but in addition to the recent increase in postage rates, convenience store storage agency fees have also soared. For businesses, the cost structure of printing paper, mailing it, and paying a payment fee is reaching its limit."

In addition, there is a fee increase from the credit card company. Card payment fees (IRFs) for the power and gas industry have been kept low until now, but this is where the wave of price increases is also coming.

"The only way to reduce costs is to direct them to a Account transfer with lower fees, or to eliminate paper invoice and move to online payment. Therefore, we are proposing an approach of 'realizing DX without touching the system.'"

GMO-PG's unique weapon "individual development"

Here, Kihei emphasizes the existence of "system development", which is one of the strengths of GMO-PG. The reality is that typical payment processing company companies (PSPs) often only provide the payment tools they provide. However, GMO-PG can be developed according to the customer's system environment.

"We have the advantage of not only providing PG Multi-Payment Service, a payment service that is used in a wide range of industries, but also to be able to develop systems individually. Specifically, GMO-PG develops and provides systems according to the system interfaces of each utility company, rather than matching the system interfaces of general payment processing company companies (PSPs) for major utility providers such as electricity, gas, and telecommunications. Through these proposals, we are able to meet the needs of business operators while reducing the cost of system repairs."

We are also working on a mechanism to respond to the processing that the host system has had to create on the GMO-PG side.

"Deliver and pay" experience realized by using SMS

One specific solution that leverages PG Multi-Payment Service is paperless payment powered by SMS.

"In many cases, paper payment slips did not arrive due to omissions due to address change notifications, which caused the hassle of resending them and inquiries to the call center.

The mechanism is simple. Tap the SMS link sent by the business to open the payment screen on the spot. You don't have to go to a convenience store, and you can complete your payment with a smartphone-based payment such as PayPay or a credit card from the comfort of your home.

"This allows businesses to reduce mailing costs and call center labor costs, and frees end users from the hassle of payment.

[Defensive DX] Security as an investment that does not end with cost

The accident happened "one week later"

As DX progresses and the point of contact with customers becomes digital, security issues are unavoidable. Kihei has unforgettable memories of the past.

"A few years ago, when I was in charge of a company, I felt that there was a security risk on the company's e-commerce site, so I strongly suggested a vulnerability diagnosis (security diagnosis). The person in charge understood the importance, but in the end, the introduction was postponed because of 'busy work right now' or 'because there are not enough resources.'"

"I'll consider it again," he said, just one week after the business negotiations were over.

"The site was attacked from the outside, and malware was planted inside, resulting in a major accident in which personal information and credit card information were leaked."

Trust collapses in an instant

It is said that the devastation that followed was indescribable. The e-commerce site was immediately closed. Forensic investigations to investigate the cause of the incident cost a lot of money, apologies to the parties involved, and above all, the loss of trust from consumers, led to a sharp decline in the company's sales.

"If only I had said it stronger at that time, I wouldn't want my customers to feel that way again." Kihei looks back on his feelings at that time. This experience has shaped his current style. "Security measures are not a cost, but an investment in business survival." This belief led him to speak out about risks, even if it was sometimes a pain in the ears for his customers.

Attackers go beyond the "checklist"

Currently, the use of websites and cloud services is rapidly increasing in the utility industry along with DX. However, there is a temperature difference between companies in terms of awareness of security.

"There are many companies that say, 'It's okay because we're entrusting development to major vendors,' or 'We're doing a security checklist,' but attackers go beyond the checklist."

In fact, when Kihei proposed and an expert diagnosed it, it is said that there are cases where "fatal holes (vulnerabilities)" are found on sites that appear to be robust at first glance. A major infrastructure provider successfully identified potential risks by conducting penetration testing (penetration testing that mimics real attackers).

The trap of the "shared responsibility model" lurking in the cloud

In recent years, there has been an increase in attacks that exploit misconfigurations in public cloud environments such as AWS.

"Some companies using the cloud misunderstand that 'the provider protects security because they are using cloud services,' but there is a concept of 'shared responsibility model' in the cloud, and cloud security is shared between the provider and the user. Any discrepancies in the perception of the scope of responsibility when using cloud services can be a security blind spot and lead to vulnerabilities. The scope of responsibility on the user's side needs to be taken measures on the user's side."

Attackers take advantage of this perception gap. For example, it detects a response (response) unique to AWS and takes aim at it, saying, "If you are using AWS here, then there may be a setting omission."

GMO-PG handles not only web application diagnostics, but also multi-layered "protection" solutions, such as configuration diagnostics for these cloud environments (such as AWS diagnostics) and advanced penetration testing by white hackers. "It's too late after something happens, and that's why we don't stop proposing 'protection'," Kihei says.

To the future of 2030. Partnerships Beyond payment processing company

The teaching of "Don't sell payment"

In the department to which Kihei belongs, there is advice not to sell payment. The problem for business operators is spread around the payment, and the idea is that you can become a true partner only when you go that far.

What Kihei is currently working on is business improvement that goes beyond the boundaries of payment. "For example, there are cases where Account transfer a handwritten application form is still received and the business is manually entered (punched) and registered in the system. We are also proposing a service that takes this input work itself as BPO (outsourcing) and returns it in a data state."

Companion running with an eye on the next 10 years

It is said that system integration and physical separation in the power and gas industry will be completed after the late 2020s at the earliest. What Kihei is looking forward to is the "future in 10 years".

"Even if you can't overhaul all systems right now, it's important to move steadily from what you can, such as introducing AI in call centers to reduce the number of calls received, automating dunning tasks with SMS payment, or integrating multiple service IDs to create a common ID-like foundation to improve the customer experience (UX). The accumulation of such small DX will eventually lead to major changes."

It takes time for huge infrastructure companies to change. That's why you need a partner who can accompany you from a long-term perspective. "We are looking forward to future system integration and are providing support over a very long-term span. That's the stance of GMO-PG."

For infrastructure operators who are hesitant to face change

"GMO-PG is not just a payment processing company company (PSP), we have a deep understanding of the business flow of utility operators, and we have the 'technical capabilities' of system development and the 'knowledge' we have cultivated in many fields," says Kihei.

payment processing company Although it is a company (PSP), it can develop systems for each operator, and actively promotes offense and defense without missing security updates. This unique position is the key to unraveling the complex challenges of historic infrastructure companies.

"Before you give up on 'I can't do something new because the system is old' or 'I can't find a way to reduce costs,' please consult with us. From system development tailored to each person's needs to the latest security measures. Let's find the 'solution' to make your company's DX a success."

Reducing the cost of "offense" and managing the risk of "defense". GMO-PG's approach to turning these two wheels with a powerful engine of system development capabilities will be a very effective option for the utility industry in a period of change.

■ Information on related services

You can find out more about the solutions introduced in this article below.

・ PG Multi-Payment Service

A comprehensive payment platform that allows you to deploy all payment method such as credit cards, CVS Payment, smartphone-based payment, etc. at once.

・GMO Digital Billing Service

A service that makes billing operations on payment slips paperless. It is also possible to reduce the cost of renovating the core system and introduce a variety of payment method.

・GMO-PG Security Solutions

We provide total support to protect the trust of the company, including vulnerability diagnosis, penetration testing, and cloud diagnosis.

・System development and construction support

Development support tailored to individual company requirements, such as building a linkage platform with legacy systems unique to utility operators.