Fort Knox or the Alamo?
Safeguarding your customers’ payment information

As seen in DOCUMENT Magazine

While many billers have developed a well-written information security program that articulates the rules for the management of customer payment details, few organizations have the business processes and technologies to fully protect their customers’ data. The recent rash of data breaches suggests that the lack of adequate vigilance is emerging as a “sleeper” risk for most organizations. With ePayments growing at double-digit rates and crossing the 50% threshold, the time is now to take a look in the mirror to see how well your organization is doing.

The “Plastic” Revolution
Billers across the United States are immersed in a sea of payment changes, adding both complexity and new risks to their traditional billing model dominated by paper check acceptance. The “paper to plastic” revolution is challenging their existing business processes and putting new strain on their accounts receivables and information technology departments. Driven by consumers’ desire for convenience and control, electronic payments are ballooning. In fact, American consumers spend more than $1.4 trillion every year on recurring services, the payments associated with ongoing services, ranging from cell phones to cable TV to offsite storage units. Increasingly, consumers are demanding the convenience of using their credit and debit cards to automatically pay these bills. This demand — sometimes fueled by the cardholder’s search for rewards points — introduces a whole new world of security issues to billers that have traditionally dealt only with walk-in cash payments, checks and, perhaps, ACH (automated clearing house) payments. Thus, such a migration from paper to electronic is not going to be easy for many companies, as it comes with a whole new array of security concerns and frequently, complex business requirements.

Companies entering this new world of accepting credit and debit cards from the “Big 5” of American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International will find that these card companies tout a plethora of reasons for accepting their cards. For example, Visa reports that its research with a variety of billers and consumers has shown that:

>>Payment with cards post 72% faster than checks.

>>Billers experience reduced delinquency rates — more than 20% lower — as compared to checks.

>>Five percent fewer payments require exception processing.

>>There are up to 25% fewer customer service calls per customer.

Billers must undertake an effective risk assessment, which includes a review of their lines of business, applications, technology infrastructure and service providers. They must follow a structured process to identify threats, controls and vulnerabilities for each of these four risk areas. And within each risk area, billers should drill down on operational, fraud, reputation, compliance and technology risk.

Overseeing Service Provider Arrangements

The organization that holds the client’s trust is always responsible for safeguarding customer information even when it uses a third party to provide services to its customers. Essentially, billers can choose three methods of handling card data: 1) let their payment processor handle everything in an application service provider (ASP) mode, 2) perform some functions in-house and outsource the rest and 3) perform virtually all functions in-house. The bad news is that if options two or three are chosen, then the company instantly falls under the scrutiny of the Payment Card Industry (PCI) Security Standards Council and its PCI Data Security Standard (DSS). Without a doubt, PCI compliance involves a significant investment in time and money and may call for difficult changes to a firm’s operations and technology infrastructure. Ken Leonard, CEO of ScanAlert, the world’s largest provider of PCI compliance services, sums it up well when he says that “the PCI DSS is a robust and intricate set of security requirements.”

The Outsourcing Route

Perhaps, these compliance issues are why many smaller billers choose to completely outsource their card operations. For example, Mountain View, California-based CyberSource helps billers process electronic payments without the risk of storing or even handling sensitive account information. With CyberSource’s Payment Data Management, CyberSource, not the biller, manages sensitive customer information, such as credit card numbers and related transaction data. David Glaser, CyberSource Vice President of Professional Services, explains, “We handle the acceptance, processing, transmittal and storage of their e-Commerce transactions so biller compliance with PCI DSS is much simpler and faster.” With the Hosted Payment Acceptance option, when customers hit the payment button, CyberSource collects the actual payment data, processes the transaction and securely stores the data for any subsequent payment action, such as a credit or recurring payment.

However, even if an organization outsources its information management operations, it is still ultimately responsible for the safety of customer information. If billers have not done so already, it is time to establish appropriate oversight of all vendor relationships. Specifically, firms should develop a Payment Outsourcing Risk Management checklist, which should:

>>Assess outsourcing risks to identify needs and requirements.

>>Create and maintain an inventory list of each vendor relationship that houses customer data, and document risk assessment plans.

>>Prioritize the risk of each relationship consistent with the types of customer information the vendor can access.

>>Perform proper due diligence of third-party vendors.

>>Execute written contracts that outline duties, obligations and responsibilities of all parties.

>> Establish procedures for ongoing oversight of all outsourcing relationships involving sensitive customer data.

Billers that want end-to-end payment solutions that include e-billing at the front end often turn to large vendors such as CheckFree, Online Resources Corporation, Metavante and Fiserv for assistance. Mark Critchett, Vice President of Product Management at CheckFree, explains, “We can handle every channel from online to IVR to call center, and we even have over 11,000 agent locations where consumers can walk in and pay their bills.” At Metavante, Dave Fortney, Senior Vice President of the e-Payments Group, emphasizes, “We can outsource everything involving payments for a biller — even its call center operations, so it can focus on its core business.”

Looking Internally

Mid-size to large billers who choose to handle payments in-house must be prepared for not only a PCI audit, which varies from a simple process review to a full-blown, on-site, third-party audit, depending on the volume of transactions that are handled annually, but also to perform a risk assessment, threat analysis, formulate an organizational security policy and train employees. Even smaller organizations must develop security policies and procedures for their back-office employees who handle payment data and their customer-facing employees in their call centers and walk-in locations.

Tackling the Security Policy

Companies can develop their own security policies internally or turn to vendors such as Mountain View, California-based Polivec and its Compliance Management System, which helps organizations manage their policies and procedures, measure compliance across the organization and report against regulations and risk. Polivec CMS provides companies a combination of policy management, education and awareness functionality, security posture monitoring and reporting against established policies while simultaneously addressing regulations and standards, such as Sarbanes-Oxley, the Gramm-Leach Bliley Act, the California Security Breach Information Act and PCI DSS. Additionally, its consultants can help companies ramp up internal policy education and awareness programs. IT departments will also have to establish security checklist reviews that employ published or publicly available checklists for specific types of platforms, applications or services to make sure that software is up-to-date, configurations locked down and potential points of attack closed.

The Inside Line

While high-profile outside hacker attacks garner headlines, security study after security study reveals that insiders are the greatest source of critical data leakage. Sensitive information is floating around every organization’s network in unstructured data packages, such as email, web-mail, Word documents, PowerPoint presentations, Excel spreadsheets and reports. Blocking this private data, in all its forms, from leaving the network is the purpose of a new generation of products called by various names: extrusion prevention, active policy management, outbound content security, information leak detection and prevention, point-of-use security, content monitoring and control, data loss prevention, content filtering and messaging security. Some of the players in this market are Code Green Networks, Intrusion, PortAuthority Technologies, Tablus and Vontu.

Chip Hay, Senior Vice President at Code Green Networks, points out, “While establishing policies is fairly easy and straightforward, it can be quite difficult to actually enforce these policies and prove compliance to auditors.” He adds, “In addition to critical customer and payment data, businesses must provide strong safeguards for other information, such as their financial plans, salary information, employee files, contracts and legal documents.” Jay Barbour, Vice President of Marketing at Intrusion and a Certified Information Systems Security Professional (CISSP), explains, “Firewall and other perimeter security devices are oblivious to sensitive data. What are needed are data-centric devices that can probe deeper into the network and catch actual sensitive data transmissions.”

Even though the large majority of confidential data that is leaked from organizations is unintentional, the consequences can be the same as a malicious act — with mandatory disclosure generating unfavorable media coverage, upset customers, tarnished reputations, possible regulatory fines, expensive clean-up costs as well as an increased risk of fraud and identity theft. These extrusion prevention vendors normally deploy a hardened appliance into a client’s data center that constantly monitors ports, protocols and applications for confidential data leakage. For example, these tools can be configured to block or quarantine emails that contain Social Security numbers, customer account numbers, credit/debit card numbers — even drivers’ license numbers.

At the end of the day, one of the biggest drivers for securing electronic transactions and customer information may be the media — with the constant barrage of data breaches in the news driving home the importance of security in protecting a business’ brand and reputation. However, the good news is that whether billers outsource card acceptance or choose to tackle this process in-house, there are many places to get help with security programs. “We believe security fears should not stop any business from moving to electronic payments; rather, they should prompt managers to develop a culture of control and risk mitigation,” advises Sush Koka, Senior Analyst at PayStream Advisors, a financial automation consulting firm. However, others are a bit more cautious. Rob Tourt, Vice President of Network Services for the Discover Network, is convinced from his real-world experiences that “improper storage of cardholder data is the biggest problem for businesses, and many times, they don’t even know that they are storing this information.” He concludes, “Security has become a — if not the — top issue in the card industry, with everyone across the board concerned about ongoing card fraud and identity theft.”

Henry Ijams is the Managing Director and founder of PayStream Advisors, a financial automation consulting firm with a focus on emerging technologies in the financial supply chain. Mr. Ijams’ 20 years of experience includes key positions with Citibank and Manufacturers Hanover Trust as well as a manager of Ernst & Young’s Financial Services Consulting practice. For more information, please visit paystreamadvisors.com or email .