Fintech Startup, Tech Security: cost a zig saw puzzle

Fintech, laptop

Fintech Startup, Tech Security: cost a zig saw puzzle

Security in a fintech portal is paramount given the sensitive nature of financial transactions and personal information involved. For small fintech startups, the scenario gets complicated due to a limited budget to have all the tools in place to achieve them


They are important because of the following main reasons:

  • Meeting Compliance Requirement
  • Mitigate Financial Risks
  • Prevent sensitive information
  • Prevent Fraud
  • Business Continuity
  • More important Building trust


Key questions that CTO faces:

  • How to meet the above objectives, i.e., Planning?
  • How much can we spend, i.e., Cost?
  • What to prioritize, i.e., Priority



To achieve all the objectives, effective planning is needed. As part of the planning, the following areas need to be addressed:

Encryption: Utilize strong encryption protocols (like TLS) to secure data transmission between the user's device and your servers

Authentication: Implement multi-factor authentication (MFA) to ensure that only authorized users can access their accounts. 

Data Protection: Employ robust data protection measures, such as encryption at rest, to safeguard sensitive information stored in databases. Additionally, limit access to data on a need-to-know basis and regularly audit access controls.

Secure Development Practices: Follow secure coding practices and conduct regular code reviews to identify and address security vulnerabilities in the application codebase. Need to enforce a secure audit control too.

Fraud Detection and Prevention: Implement systems for monitoring user activity and transaction patterns to detect and prevent fraudulent activities.

Compliance: Ensure compliance with relevant regulatory standards and industry best practices, such as PCI-DSS and GDPR.

Secure APIs: If your portal interacts with external systems or third-party services via APIs, ensure these connections are secure and properly authenticated to prevent unauthorized access.

User Education: Educate users about best practices for online security, such as choosing strong passwords, avoiding phishing scams etc.

Incident Response Plan: Develop and regularly update an incident response plan to effectively respond to security incidents or data breaches. Need to have a red team, green team in place.



Once the planning is in place, the next difficult question is how to have all these in place within the limited budget that small fintech startups have. There are plenty of tools in the market that provide encryption services, MFA, single sign-on, tools for risk management, etc. But if we purchase all these tools, our budget will overshoot. Then what shall we do? That answers the next question.



To keep the cost in check, it makes sense to develop some in-house effective solutions to address the basic needs instead of having an enterprise-ready tool. It was probably a luxury at that time. For example, do we need a single sign-on tool? Can we implement an MFA solution through SMS/Email? Some sales agents and customers don’t want to have single sign-on installed to log in and access software. For them, the email/SMS method makes more sense. SMS/Email authentication service can be purchased from a third party at a much cheaper cost to enable the same functionality.


Likewise, the following internal solutions can be thought through to make sure the above objectives are met, and potentially we can avoid a large investment in security tools.

Store Card data/Bank information: Instead of buying a vault service and paying for each API call, can we not have our own internal encryption algorithm that can do the job? The algorithm can be different for different environments. We can further strengthen it by anonymizing the code and making it dynamic.

Secure development practice: It’s crucial to make sure a solid development procedure is followed right from development, deployment, and post-production support. Most vulnerabilities get injected due to bad development practices. Some of the things that can be followed are:

  • API (External & Internal) authentication should be done through a private key.
  • Minimize open pages, wherever it’s required – Protect it from SQL injection, and XSS scripting through specific backend coding.
  • Have a monitoring setup on the pages to if any of the keys are hard coded anywhere.
  • Monitor traffics, if required block some of incoming traffic using Web Access firewall.
  • Peer review is a must after all the QA/UAT.
  • Have your own monitoring/alerts setup on important areas of the application which will help tech team to proactively take care of potential loopholes.
  • Avoid procedural coding, try to use MVC structure.
  • Make sure deployment checklist is validated by tech lead before code gets pushed to prod.
  • Minimal access across the board and automatic access checks specially after an employee is terminated.

Email: Make sure DMARC, DKIM, and SPF records are set for Email, don’t leave it open – so that email authentication is taken care of.

Education: Build an easy, nice, crisp Onboarding Portal with all the security aspects that an employee needs to follow along with other important details. It should have enough details about what the dos and don’ts are. It needs to be self-explanatory with minimal HR involvement so that employees can self-serve themselves. Monthly surveys should be conducted to make sure employees are following.


Incident Management Team: Through education, we need to make sure employees are aware of what to do in case of any incident. But we need a team to handle that. Often the support team gets involved in this, and if required, the dev team gets called upon. Through this process, we lose some time. For a fintech startup, I guess we can make sure it’s a tech team’s responsibility to understand the impact and mitigate the situation. The team should be built in such a way that once an incident is reported, it gets routed to the right set of people only who can take appropriate actions. For example, an issue in the gateway should send pager duty alerts to the tech lead, developer/devops engineer assigned for that day. It’s their responsibility to take it to the closure and involve higher management if required.


At the end of the day, we have to make sure our system is secure not by building an empire of enterprise tools but rather by choosing the right mix of enterprise tools vs. our own inventions so that our customers have trust in our systems to share sensitive data and we can save some $$, if not then be within budget.


Contact Us


Learn more about technology with our Tech Articles on the TCB Pay Blog.

artificial intelligence

From Abacuses to AI

Posted on 03/29/2024
See all articles