The five minute CIO: Paul Gaffney

30 Aug 2013

Paul Gaffney, service delivery director and co-founder of Card Commerce

The service delivery director and co-founder of Card Commerce Paul Gaffney talks about setting realistic budgets, strategic outsourcing and why, in a software company, technology and the business are intertwined.

Can you tell me about Card Commerce’s business?

Card Commerce is a technology company. We provide what we call customer engagement technology that helps merchants, businesses and communities recruit and retain customers. We have about 450 distinct merchants using our services. And within those merchants we have about 6,000 users that would log into our systems and control their own programs, run reports for whatever it is that they do. We process close to €125m on our system. It’s a very lean operation. We have 10 people, and that would include one country manager in the UK.

Future Human

Card Commerce deals with a lot of financial institutions: what implications does that have for your IT – do you have to meet more exacting standards as a result?

We do. For example, one of our partners is Barclaycard and they have white-labelled our platform – they sell it as Barclaycard Gift. Because they’re a bank, they expect our platform to work as an extension of their platform, so it has to meet standards like ISO 27001 and comply with PCI-DSS.

Do you look to standards and methodologies like IT-CMF or ITIL to help your IT team?

In fact, I’d be familiar with the Capability Maturity Framework because we used it last year, when we moved our infrastructure from where we were looking after it in our own environment to fully outsourcing it to TelecityGroup. To come up with our budgets for Telecity, we looked at the existing IT capability that we had in terms of our own infrastructure, how many customers we were serving, how many transactions we were processing.

We had a view on what that infrastructure looked like and the size in terms of disk sizes. We then did a three-year lookout based on the plans we had to scale the business for the next three years and the transaction processing associated with that, and the space we’d need and the amount of concurrent processing we’d need.

We then came up with our requirements of the type of infrastructure we’d need and we used that as an input into our RFI. Using industry standards and responses to the RFI, we were able to figure out our IT budget for the next three years.

I think typically with the CMF, you start with your budget, you look at your capability and you try and adjust your budget based on what you want to do. We looked at our existing capability, we looked at where wanted to grow to, and used it to figure out what our IT budget should be.

Why did you decide to host your critical systems in a third-party data centre?

It’s probably fairly straightforward: it’s a no-brainer. Based on the expectations of our banking partners, based on rigorous security and PCI requirements, we’d effectively end up building our own data centre. Why would we do that when we can use the likes of Telecity?

There’s just remarkable credibility behind that name. If we said ‘we’ll host it ourselves’, we would have to answer a lot of questions about our infrastructure, and conduct site visits. With Telecity, all of those questions disappear.

How big is your IT team, and to what extent do you rely on external vendors to supplement your in-house skills?

We would have a team of four that we would consider the IT team, out of the 10 staff. We obviously outsource all of the infrastructure to Telecity and then we outsource some of our software development activities, as well – not all of it, because we have some internal expertise.

How do you decide what stays in-house and what can be outsourced?

The software development would typically be split between legacy systems and new systems, so effectively we keep all development on the new systems in-house and we outsource the legacy development. There’s no point in trying to build expertise internally in something that will ultimately disappear. Any of the old systems that are terminal-based systems or interfaces we need to build, we get other people to build that because it tends to be one-off and won’t be around in five years’ time, I would expect.

Your Store24 application is the cornerstone of your business, and it’s delivered as a service. Do you consider yourselves as a cloud company?

No, what we’d say is we’re a software-as-a-service company. Now, one of the ways in which that software can be delivered is via cloud, but another option for customers is to take the software themselves and run it in-house. So that just becomes a deployment option.

It’s been said that cloud is a threat to traditional IT professionals, because companies won’t need their skills anymore because IT will be delivered as a utility. What are your thoughts?

I don’t see it as a threat at all. The cloud provides software services and they tend to be a low-cost and convenient method to deliver software. For example, one of the things we do is, we have a cloud facility that allows us to generate invoices. Rather than having our finance team manually generating invoices, we can utilise a cloud service to generate those invoices. Now, we still need the accounting people but by removing the manual element of creating the invoices, we free them up to do more finance work.

The same can be applied to lots of work. It’s not just IT services. We have various cloud services that we use for various parts of our business and it allows our IT people to focus on Store24, projects and transaction processing.

How close is your IT to its ideal state, or is that a constantly moving target?

It’s a constantly moving target. We’re constantly looking to improve the product set in terms of the service we offer, and also looking to improve the service we provide to our customers, to improve the alerting and management of the system itself so that we’re made aware of any issues in the system and we need to address them rather than somebody else bringing it to our attention. We’re constantly looking to increase our awareness of what’s happening.

It’s hard to answer the question is there an end goal in sight, because the pace that the environment is changing means we’re only really looking three or six months ahead and then there’s a new set of requirements or functionality we would have to address.

Have you any major business and IT projects planned for the coming months, and what can you tell me about them?

There’s a big one that we’re literally just putting the final touches to at the moment. One of our largest customers is the biggest pub chain in the UK and they’d have about 1,700 outlets. They have a customer email database of 4m pub and restaurant users. Next month they want to run a digital coupon/vouchering campaign whereby they send out 4m emails and ask people for some feedback and in return, they’ll give them a free £5 digital voucher. They expect something like a 15pc response. We will effectively fulfil all of those vouchers; they’ll be transactions that are processed on our system. That’s a big project that we’re looking to kick off in the next week or two.

It’s part of our service but at the same time, it does mean our focus has moved away from functionality to being performant and scalable: we need to be able to process and be confident of processing 100 transactions a second, because of the way this campaign is going to run.

Your business is very much reliant on IT: is there anything that keeps you awake at night?

Plenty of things would keep me awake at night, but it’s about the risk assessment, risk mitigation, monitoring, and DR [disaster recovery] testing: for example, if we or Telecity had an outage, how quickly can we bring up our DR site? We’ve recently done a DR test with Telecity and we’re confident that that’s working. Every six months I plan to do a DR test with them.

The stuff that kept me awake three months ago isn’t the stuff that will keep me awake now. We’ve done performance tuning on the system and we’ve confirmed we can handle that.

In terms of your own role, how much is given over to technical issues and how much time is spent on business concerns?

It’s probably somewhere close to 60:40. Because the technology is our business, it’s almost hard to separate the technical issue and the business concerns. I would be involved in lots of presales discussions with customers, where they might have concerns. I don’t solely concern myself on technology issues and let someone look after the business side – they’re intertwined because the technology is the business.

How have your responsibilities changed over time, and do you expect the role to change more in the future?

Where it’s changing fairly dramatically in the last couple of months is, everything’s moving to digital and to couponing – almost the Groupon model. Large businesses want to drive footfall into their stores, and how they do that [in some cases] is offer a free fiver. You have to be able to do it efficiently and the best way to do that is via digital – via an email or SMS. [Whereas] this time 18 months ago, the vast majority of our business would have been plastic gift card transaction processing.

Digital will grow in the months ahead, and because we expected and predicted it, we’ve moved from a physical infrastructure to a virtual environment. Spinning up a new virtual machine is a thing that can happen in a matter of hours. A brand new machine would have taken days or weeks previously. We we’re kind of ready for it.

What’s been your biggest challenge since you took the role?

Probably staying up with the sales guys – making the platform as robust and as performant as possible, so we can match the expectations of these large customers that we’re signing. We now have three of the top four UK pub and restaurant businesses, and we’re talking to the ones that are missing. Clearly, what one of those does, the second or the third can do.

Gordon Smith was a contributor to Silicon Republic