If your company interacts with payment data, it’s important to choose a payment security solution that can keep your customer’s data safe. Before choosing a security solution, you should have an in-depth understanding of the company’s network security, physical security, data encryption, risk management, and vulnerability management. However, unless you’re a leading expert in the field, it can be hard to verify that a payment security solution has the level of security you need.
Industry-standard certifications are an excellent way for merchants to verify the security measures of potential payment security solutions. In this article, we’ll look through the industry-standard certifications you should look for in a secure payment solution.
SSAE 18 SOC 2 and 3 Report
The Statement on Standard for Attestation Engagements 18 (SSAE 18) is a standard that evaluates companies that provide outsourced services that affect another company’s financial statements. Independent service auditors can verify important claims about a security solution’s systems with an SSAE 18 report.
Service Organizational Controls (SOC) 2 and 3 are reports that focus on the security and privacy of a company’s systems. These reports audit the controls used by the payment security solutions to fulfill their responsibility to their clients. It will check a business’s security, to ensure data is protected from unauthorized access, its compliance for operational availability, and its protection of confidentiality.
SOC 2 and 3 can verify key claims made by a security solution about its infrastructure, software, networks, people, procedures, and processes. As such, they are incredibly valuable certifications when considering a payment security solution provider.
ISO/IEC 27001 Certification
A joint technical committee from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) created the ISO/IEC 27001 standard to outline security controls and best practices for technology platforms. Focusing on information security, this independent audit validates security procedures for information security management systems (ISMS). The ISO 27001 reaffirms a company’s compliance with the policies and procedures expected for securing sensitive data, including financial information, intellectual property, employee details, and more.
Certification for ISO/IEC 27001 is not mandatory, but it is a signal of a company going above and beyond to follow recommended best practices. Not every payment security solution needs to have an ISO/IEC certification. However, the rigorous certification process behind ISO/IEC 27001 shows that a company goes above and beyond to secure their systems. When you’re looking for a security solution for payment data, that’s exactly the level of commitment you should be looking for.
PCI DSS Certification
The Payment Card Industry Data Security Standard (PCI DSS) is a standard developed by leading cardholder brands in order to protect cardholder data. If your payment security solution interacts with or stores cardholder data, it is essential for them to be PCI compliant.
Specifically, you’ll need to look for a PCI Certified service provider. A service provider is an entity other than a payment brand who interacts with cardholder data (like a tokenization platform, a firewall manager, or a hosting provider).
PCI Certified Service Providers are also separated by different levels. It's important to verify that your service provider has a high enough level to handle the number of transactions your business processes every year. A Level 1 service provider is certified to interact with more than 300,000 credit card transactions annually, while a Level 2 service provider must interact with less than 300,000 transactions annually. If you have a larger business, you will need to work with a PCI Certified Level 1 service provider.
General Data Protection Regulation (GDPR) is a stringent data protection legislation developed by the European Union (EU). It regulates the storage, transmission, and management of all personal data, including payment data. Although its data privacy regulation was designed to protect EU citizens, it is relevant for every business with clients within EU nations.
Any security solution you choose should be compliant with GDPR so they can secure personal data from clients in the EU. Moreover, a good payment security solution will help your business maintain compliance with GDPR’s strict security requirements.
NACHA connects all US bank accounts through its Automated Clearing House (ACH) Network, and as such is responsible for the movement of money between different bank accounts. NACHA is not a government agency but works closely with the government to ensure electronic payments remain secure. They not only develop guidelines for payment security, but also act as a space for discussion and education for the payments industry.
Not all security solutions will be in scope for NACHA certification, but if they are, it is important that they comply with NACHA’s Operating Rules and Guidelines.
The Cloud Security Alliance (CSA) offers a popular security provider certification known as the CSA Security, Trust & Assurance Registry (STAR). The CSA STAR program allows businesses to publish security and privacy controls in a public registry.
Level 1 organizations submit security and privacy self-assessments that can be accessed on the CSA website. Level 2 organizations submit third party security audits and certifications to the site. This information hosted on the CSA site helps customers verify the credibility of potential cloud payment security providers.
Whatever payment security solution your company chooses, it’s important to verify the strength and security of their offerings before making a decision. Standardized certifications can not only verify a company’s compliance with basic standards but also identify companies with top tier payment security offerings.
Security certifications should be easy to find on a security provider's website, alongside their security controls and risk management policies. Review a provider’s credentials carefully before choosing a security solution. After all, your payment security relies heavily on the robust nature of the security solutions you choose.
See the security controls TokenEx uses to ensure the protection of our clients’ sensitive data: