The New Normal: The Expanding Role of Technology Providers in Payment Processing. Pete S. Johnson

Size: px

Start display at page:

Download "The New Normal: The Expanding Role of Technology Providers in Payment Processing. Pete S. Johnson"

Jason Moris French
8 years ago
Views:

1 The New Normal: The Expanding Role of Technology Providers in Payment Processing Pete S. Johnson

2 Recent Market Trends Affecting Role of Technology Providers Transition Brick and Mortar ecommerce Mobile Commerce Introduction of disruptive technologies Retail focus on in-store experience and moving away from the traditional point of sale Growing acknowledgment by financial institutions that purchasing habits are changing; increasing comfort with role of technology

3 Hypothetical Transaction Primary Players DATA Merchant DATA AUTH/$$ Point of Sale Service Provider DATA AUTH/$$ Cloud AUTH/$$ DATA Consumer $ AUTH/$$ DATA AUTH/$$ DATA Issuing Bank Payment Network Acquirer/Processor Assumptions: Entire transaction will occur in the United States; Point of Sale Solutions Provider utilizes Cloud Provider to host web-based application that provides payment processing, inventory management and other functionalities.

4 Importance of Due Diligence How will data flow end-to-end? Which parties will have access to payment credentials and transaction data? At which points will data be encrypted? Will any party that accesses, processes or stores payment data subcontract relevant services? Will a public cloud or private cloud be used to host the Point of Sale Solution Provider s system? Practice Tip: Request a diagram of the end-to-end process from your business client (or prepare one yourself if necessary)

5 Key Considerations for Agreement (and Product Development) How will the Point of Sale Solution Provider and its Cloud Provider demonstrate that they have sufficient controls and safeguards in place to protect payment data? What legal, regulatory and industry regimes and standards apply to the Point of Sale Solution Provider and its Cloud Provider? What kinds of ongoing testing may be required of the Point of Sale Solution Provider and its Cloud Provider? How will the parties verify that the Point of Sale Solution Provider maintains sufficient controls/safeguards and compliance?

6 Methods for Demonstrating Sufficiency of Controls and Safeguards PCI Compliance Compliance with ISO and PCI DSS Report on Compliance and Attestation of Compliance PA DSS Report on Validation an Attestation of Validation ISO Information Technology Security Techniques Requirements Ex. Segregation of duties ISO Information Technology Security Techniques Code of Practice Requires internal testing and self-certification SSAE-16 Type II/ISAE 3402 (International) ISO Privacy Impact Assessment Tests participant s internal controls against established standards Typically results in a report that is often requested of service providers Internal test against privacy standards and compliance with company s privacy policy

7 Legal, Regulatory and Industry Regimes and Standards Payment Network Rules Obligation typically imposed by merchant acquirer or processor PCI DSS; PA DSS; Payment Network Security Programs (CISP + SDP) Gramm-Leach- Bliley (GLB) Interagency Guidelines Establishing Customer Information Safeguards Requires implementation of reasonable administrative, technical and physical safeguards Applies to entities engaged in financial activities and compliance will generally be contractually required for parties providing services to those entities Adopted by primary agencies overseeing financial institutions (Federal Reserve, FDIC, OCC) Requires entities subject to agencies supervision to adopt written information security programs and provides standards and requirements for those programs Provides guidance for cloud service providers

8 Legal, Regulatory and Industry Regimes and Standards (cont.) FFIEC Cloud Computing Guidance Prepared by Federal Financial Institutions Examination Council (FFIEC), which includes representation from primary agencies overseeing financial institutions, the new Consumer Financial Protection Bureau and state agencies FFIEC has authority to audit service providers to financial institutions Open Web Application Security Program (OWASP) Open Web Application Security Project is a non-profit organization established to create standards for the security of software applications Compliance with OWASP Top 10 often required of application providers by financial institutions and others State data security/data breach laws

9 Common Ongoing Testing Requirements Periodic PCI and ISO certifications and reports Regular penetration testing (internal or by independent vendor qualified under PCI ASV) Regular vulnerability and threat assessment (VTA) testing

10 Independent Verification of Compliance Standard contractual audit rights Payment network audits Regulatory audits Independent audit of PCI and ISO compliance and related reports SSAE-16 Type 2 reports by independent auditors

11 Trends on the Horizon (that may reshape the landscape again) Tokenization of payment credentials Clearinghouse Initiative Payment Network Initiative Increasing use of proxy credentials to limit number of players who touch payment credentials (e.g. PayPal mobile model) Cost/benefit analysis of compliance with established standards

12 Questions??????????

13 Thank you Peter S. Johnson Partner

VENDOR MANAGEMENT An Update & Discussion

VENDOR MANAGEMENT An Update & Discussion Ground Rules TO ENCOURAGE FREE DISCUSSION, NO RECORDING DEVICES OF ANY KIND INCLUDING CELL PHONES, CAMERAS, ETC, ARE ALLOWED NO EXCEPTIONS VIOLATORS WILL BE ASKED