Concerned About Security and Privacy in Payments? Here’s What You Need To Know
21 June 2021
by Ganesh Srinivasan, VP Compliance & Information Security
COVID-19 has taught the financial services industry the painful lesson that it can’t always anticipate what the future holds. Business continuity and security need to be emphasized more than ever before, which involves arming ourselves with the most advanced technology available to foster resiliency, security and adaptability, no matter the circumstance.
At Volante, we believe that the answer to all of this uncertainty lies in the cloud and payments-as-a-service. In particular, payments services providers need to give confidence to their customers that their cloud-based solutions can continue to operate with outstanding resiliency.
ISO 27001 and SOC1/SOC2
There are important accreditations particularly for cloud-based payments services and solutions, such as ISO 27001 (ISO/IEC 27001:2013), System and Organization Controls Reporting (SOC 1 and SOC 2), and the Payment Card Industry Data Security Standard (PCI DSS).
ISO 27001 is an independently-audited, international best-practice standard for Information Security Management Controls. In specific relation to cloud-based services, certification can be achieved in up to fourteen information security domains, evidencing an organization’s commitment to compliance and security, and ensuring that any data from banks and financial institutions is safeguarded by the service provider.
Every aspect of information security is covered, from product development to support services. There are multiple controls within the audit for each activity, each of which is assessed by the external auditor. Customers can then be assured that the provider has the adequate and appropriate levels of information security in place.
The System and Organization Controls Report 1 (SOC 1) focuses on internal controls in the service organization that will impact the financial reporting of the user organizations. Primarily considered an obligation for service providers in the U.S., it is now becoming more relevant on a global basis, particularly in Latin America.
Whilst technology service providers are not normally required to comply with this attestation (as they do not directly handle the financial information of their customers), Volante was keen to obtain this accreditation in order to reassure its clients that the integrity of the data processed by Volante will remain intact - a ‘gold standard’ if you will.
The System and Organization Controls Report 2 (SOC 2), on the other hand, is required by all service providers. Taking the form of an attestation report performed under the Association of International Certified Professional Accountants (AICPA) attestation standards, a SOC 2 report provides an opinion by an independent auditor that internal controls are in place relating to security, availability, processing integrity, confidentiality and privacy trust services principles. In addition, being in compliance with the SOC 2 privacy criteria may serve in helping clients be compliant with GDPR data privacy rules.
During the COVID-19 pandemic there has been an increase in the number of ransomware attacks. Compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) adds an additional focus on data security to help mitigate data loss. A PCI DSS attestation of compliance conducted by a Qualified Security Assessor (QSA) assures customers that best practices are followed accordingly for detecting, preventing and remediating data breaches.
These types of industry-respected accreditations ensure the integrity of data being processed in a cloud-based platform, and provide surety that all data is being securely processed within an information security boundary.
In these times, peace of mind is paramount. And we believe that properly accredited cloud-based systems are the best way to deliver that to our customers.