news.cuna.org/articles/114972-instant-issuance-sfp-or-saas
instand issuance

Instant issuance: SFP or SaaS?

Key considerations credit unions face when evaluating these two options.

September 28, 2018

Instant issuance has become a valuable service offering for credit unions as they respond to on-demand member expectations, expedite cards into members’ hands, and capture greater interchange revenue potential.

For credit unions exploring instant issuance, the big question is whether to adopt a Software for Purchase (SFP) or Software as a Service (SaaS) model, says Rob Dixon, Card@Once product manager for CPI Card Group.

He breaks down key considerations credit unions face when evaluating these two options.

CUNA News: What do credit unions need to consider when evaluating an instant issuance solution?

Dixon: To begin, establishing responsibilities around cryptographic keys is crucial. Financial institutions receive encrypted keys from their processor for bank identification numbers (BINs), which are used as each card is printed to calculate payment card values.

For example, the CVV2 on the back of the card and the PIN offset encoded in the magnetic stripe or EMV® chip need keys for calculation. The difference between SFP and SaaS instant issuance as it relates to key management boils down to this: whereas SaaS mainly asks a credit union to train staff on how to print a card, SFP requires that staff are trained in key management and learn how to orchestrate the process, while also taking on the security measures that come with the responsibility.

This is because with an SFP instant issuance solution, an onsite server with hardware security module (HSM) provides keys for calculations.

Credit unions designate employees as key custodians and adhere to compliance requirements around the secure delivery and reception of key components.  Staff is responsible for correctly loading the keys into the HSM.

In contrast, the SaaS instant issuance solution provider handles all key management and related responsibilities, including the secure reception and storage of keys.

When a credit union needs to print a card, an encrypted message is sent via internet to the supplier’s servers, where the necessary calculations are performed before a secure print command is sent out to branch printers. There is no need for housing a server.

CUNA News: How do SFP and SaaS instant issuance solutions differ in employee involvement?

Dixon: Since a credit union is tasked with fully owning and maintaining an SFP instant issuance solution, its implementation requires more involvement from IT staff.

The IT department has direct control over all protocols for setup of the software for users and ongoing support.

This means the true cost of implementation and maintenance must also include the time and internal/external staff resources used by the credit union itself as it adopts SFP instant issuance—unlike a cloud-based SaaS delivery model that only costs as much as the price of the solution.

The SaaS route can offer “plug-and-play” availability by minimizing IT staff resources in both implementation and maintenance. The SaaS provider advises on proper connectivity between branch printers and remote servers and provides ongoing software support.

CUNA News: What if a credit union wants instant issuance in multiple branches?

Dixon: This is where SaaS is major differentiator over SFP. SaaS instant issuance models can be scaled to meet the size and need of the credit union.

Adding multiple branch locations with SaaS becomes a matter of ordering additional printers, rather than recreating the printer/HSM/key management ecosystem of an SFP solution at each branch location.

CUNA News: How quickly could a credit union launch an SFP instant issuance solution vs. SaaS?

Dixon: Every credit union will have a different starting point for implementation. However, it is important to understand that the two solutions approach the timetable differently.

SFP requires much more involvement from the IT department, which can lead to a longer programming and implementation period—one that averages 6 months.

Alternatively, with the provider doing all the heavy lifting, SaaS solutions can be up and running within hours after completing the 10-week implementation period.

Given the nature of SFP packages and the effort required to customize them, implementation begins after the delivery of the purchased hardware with software installation, networking, wiring, and programming.

SaaS solutions, on the other hand, typically complete implementation of the credit union’s settings prior to the shipment of printers to branches, making the instant issuance solution immediately ready for use once the printers are plugged in and connected to the internet.