the expanding role of technology providers in payment processing
TRANSCRIPT
Transition
Introduction of disruptive technologies Retail focus on in-store experience
and moving away from the traditional point of sale
Growing acknowledgment by financial institutions that purchasing habits are changing; increasing comfort with role of technology
Recent Market Trends Affecting Role of Technology Providers
Brick and Mortar eCommerce Mobile
Commerce
Hypothetical Transaction
Assumptions: Entire transaction will occur in the United States; Point of Sale Solutions Provider utilizes Cloud Provider to host web-based application that provides payment processing, inventory management and other functionalities.
Consumer
Merchant
$ Issuing Bank
Point of Sale Service Provider
Cloud
Payment Network
Acquirer/Processor
Primary Players DATA DATA
DATA
DA
TA
DATA
AUTH/$$
DATA
AUTH/$$
AUT
H/$
$
AUTH/$$ AUTH/$$
Importance of Due Diligence How will data flow end-to-end? Which parties will have
access to payment credentials and transaction data?
At which points will data be encrypted?
Will any party that accesses, processes or stores payment data subcontract relevant services?
Will a public cloud or private cloud be used to host the Point of Sale Solution Provider’s system?
Practice Tip: Request a diagram of the end-to-end process from your business client (or prepare one yourself if necessary)
Key Considerations for Agreement (and Product Development) How will the Point of Sale Solution Provider and its Cloud Provider demonstrate that they have sufficient controls and safeguards in place to protect payment data?
What legal, regulatory and industry regimes and standards apply to the Point of Sale Solution Provider and its Cloud Provider?
What kinds of ongoing testing may be required of the Point of Sale Solution Provider and its Cloud Provider?
How will the parties verify that the Point of Sale Solution Provider maintains sufficient controls/safeguards and compliance?
Methods for Demonstrating Sufficiency of Controls and Safeguards
PCI Compliance
PCI DSS Report on Compliance and Attestation of Compliance
PA DSS Report on Validation an Attestation of Validation
Compliance with ISO 27001 and 27002
ISO 27001 – Information Technology – Security Techniques – Requirements – Ex. Segregation of duties ISO 27002 – Information Technology – Security Techniques – Code of Practice
Requires internal testing and self-certification
SSAE-16 Type II/ISAE 3402 (International)
Tests participant’s internal controls against established standards
Typically results in a report that is often requested of service providers
ISO 22307 Privacy Impact Assessment
Internal test against privacy standards and compliance with company’s privacy policy
Legal, Regulatory and Industry Regimes and Standards
Payment Network Rules
Obligation typically imposed by merchant acquirer or processor
PCI DSS; PA DSS; Payment Network Security Programs (CISP + SDP)
Gramm-Leach-Bliley (GLB)
Requires implementation of reasonable “administrative, technical and physical safeguards”
Applies to entities engaged in “financial activities” and compliance will generally be contractually required for parties providing services to those entities
Interagency Guidelines Establishing Customer Information Safeguards
Adopted by primary agencies overseeing financial institutions (Federal Reserve, FDIC, OCC)
Requires entities subject to agencies’ supervision to adopt written information security programs and provides standards and requirements for those programs
Provides guidance for cloud service providers
Legal, Regulatory and Industry Regimes and Standards (cont.)
FFIEC Cloud Computing Guidance
Prepared by Federal Financial Institutions Examination Council (FFIEC), which includes representation from primary agencies overseeing financial institutions, the new Consumer Financial Protection Bureau and state agencies
FFIEC has authority to audit service providers to financial institutions
Open Web Application Security Program (OWASP)
Open Web Application Security Project is a non-profit organization established to create standards for the security of software applications
Compliance with OWASP “Top 10” often required of application providers by financial institutions and others
State data security/data breach laws
Common Ongoing Testing Requirements
Periodic PCI and ISO certifications and reports
Regular penetration testing
(internal or by independent vendor qualified under PCI ASV)
Regular vulnerability and
threat assessment (VTA) testing
Independent Verification of Compliance
Standard contractual audit rights
Payment network audits Regulatory audits Independent audit of PCI
and ISO compliance and related reports
SSAE-16 Type 2 reports by independent auditors
Trends on the Horizon (that may reshape the landscape…again)
Tokenization of payment credentials – Clearinghouse Initiative – Payment Network Initiative
Increasing use of proxy credentials to limit number of players who touch payment credentials (e.g. PayPal mobile model)
Cost/benefit analysis of compliance with established standards