For businesses operating in the digital payments space, processor security must be of paramount importance. At i2c, our commitment to maintaining the highest standards of security is never-ending and always evolving. We believe that we have an inherent responsibility to keep our customer data secure.
That’s no simple task, and it requires a system of governance that includes a broad array of policies, procedures, planning activities, responsibilities, practices, and resources.
Given the many breaches that have occurred over the past few years involving processors directly or other third parties, it is so important for organizations to have a framework for analyzing processor security. While very complex, at the core, there are five key areas to focus on, which should apply to any processor.
- Good governance by a payment processor calls for establishing internal audit, compliance, and information security groups that have separate reporting channels to upper management and/or a board-level audit committee. This organizational structure ensures that all security and operational-related risks are appropriately addressed and that all internal processes and practices remain in compliance with the organization’s defined policies and procedures. This, in turn, should align with applicable external security standards, regulatory laws and payment systems operating rules.
- Payment processors also need to dedicate proper resources to the task of understanding and complying with all applicable government, industry, association, legal and regulatory requirements that are relevant to each of their operating regions. Such requirements need to be carefully identified, documented, applied and updated on a regular basis.
- Payment processors’ compliance activities need to also cover the applicable rules and regulatory requirements pertaining to their client partners. For example, if they are processing data on behalf of a partner whose data is governed by a given regulatory rule, then they as the third-party provider must also apply those regulatory rules when handling the data.
- Risk management should be incorporated into every payment processors’ system of governance. It provides a framework for identifying and addressing risks within the organization and provides a process for regular operational review and improvement. An effective risk management process should adopt an appropriate risk management methodology to identify, evaluate, mitigate and monitor risks pertaining to critical business assets and operations.
- Finally, security best practices also call for a “defense-in-depth” strategy to ensure the protection of information assets and overall risk reduction. A defense-in-depth approach ensures that the failure of any one control does not lead to successful penetration. By providing multiple layers of protection, the controls collectively ensure the confidentiality, integrity, and availability of critical system assets and data.
For those that want to dive deeper into these, and read in more detail about specific security best practices, check out our white paper on the topic. We hope it will help as you perform due diligence on your payment processor.