Payment Processor Security Begins

Payment Processing Security

Payment processors share an inherent responsibility to keep their systems secure. It requires a system of governance that includes a broad array of policies, procedures, planning activities, responsibilities, practices and resources for implementing and maintaining a secure system and network operating environment.

To help organizations identify the best payment processors, a recent white paper from i2c outlines the various governance and security best practices processors should use. And it all starts from the top.

Good governance calls for establishing internal audit, compliance, and information security groups within the organization that have separate reporting channels to upper management and/or a board-level audit committee,  the report notes. This organizational structure ensures that all security and operational-related risks are appropriately addressed and that all internal processes and practices remain in compliance with the organization’s defined policies and procedures, which in turn should align with applicable external security standards, regulatory laws and payment systems operating rules.

Resource Dedication

Payment processors also need to dedicate proper resources to the task of understanding, and complying with all applicable government, industry, association, legal and regulatory requirements that are relevant to each of their operating regions, according to the paper. Such applicable requirements need to be carefully identified, documented, applied, and updated on a regular basis.

Payment processors’ compliance activities need to cover not only the applicable government, industry, association operating rules and legal/regulatory requirements pertaining to their operations, but they also need to understand and comply with the applicable rules and regulatory requirements pertaining to their client partners. Let say you process customer data on behalf of a partner whose data is governed by a given regulatory rule, then you as their third-party provider must also apply those regulatory rules when handling their data.

Policies and procedures should be developed and put into practice that ensure the payment processor remains in compliance with these various requirements.

Risk Management

Risk management should be incorporated into every payment processors’ system of governance. It provides a framework for identifying and addressing risks within the organization and provides a process for regular operational review and improvement, according to the report. An effective risk management process should adopt an appropriate risk management methodology to identify, evaluate, mitigate and monitor risks pertaining to critical business assets and operations.

Security best practices also call for a defense-in-depth strategy to ensure the protection of information assets and overall risk reduction. A defense-in-depth approach ensures that the failure of any one control does not lead to successful penetration. By providing multiple layers of protection, the controls collectively ensure the confidentiality, integrity, and availability of critical system assets and data.

April 7th, 2014 by