Payments

Every security architecture problem I have ever worked on, from payments to confidential computing to AI agents, has come down to the same question: Where is the data, and what happens to it? Not “what framework are we using.” Not “are we zero trust.” Not “which compliance checkbox do we need.” Those matter eventually. But they are not where you start. You start by following the data. The questions When I was at RBC working on mobile payments, I learned this the hard way. Every time I was confused about how to approach a security problem (and there were many times), the answer was always the same: stop thinking about the system. Start thinking about the data. ...

For a lot of product and engineering teams, security has a branding problem. Too often, it shows up at the end of the process as the function that says no. No, that architecture won’t pass review. No, that workflow isn’t compliant. No, you can’t ship it that way. The problem isn’t that the risks are imaginary. Most of the time, they aren’t. The problem is what happens next: teams learn to avoid security for as long as possible. They treat security review like a tollbooth at the end of the road instead of a design partnership at the beginning. ...