GOVERNANCE AND SECURITY BEST PRACTICES FOR PAYMENT PROCESSORS A White Paper by i2c, Inc. 1300 Island Drive Suite 105 Redwood City, CA 94065 USA +1 650-593-5400 sales@i2cinc.com www.i2cinc.com
Table of Contents Governance and Security to Ensure Operational Integrity... 3 Processor Compliance with Laws, Regulations, and Operating Rules... 4 Enterprise Risk... 4 Defense-in-Depth Security Best Practice... 4 Data Integrity and Availability... 5 Access Management... 5 Event and Activity Monitoring... 6 Incident Response and Reporting... 6 Physical and Environmental Controls... 6 Disaster Recovery and Business Continuity... 7 Data Disposal... 7 Software Development and Change Management Controls... 7 Separation of Duties and Environments... 7 Integrity of Personnel... 8 02 i2cinc.com
Governance and Security to Ensure Operational Integrity Payment Processors should be dedicated to implementing all measures necessary to safeguard their information systems and infrastructure. These measures in turn should be subject to a system of governance that includes policies, procedures, planning activities, responsibilities, practices and resources for implementing and maintaining a secure system and network operating environment. In particular, the Payment Processor's Management needs to establish an organizational structure that enables them to oversee the function of governance and security, including the planning, design and implementation of internal/external network security and logical access controls, responsibilities, and resource allocations, and policy/procedural documentation. Equally important is the careful oversight of 3rd party relationships to ensure your partners are paying as much attention to security, compliance and governance as you are. Good governance calls for establishing Internal Audit, Compliance, and Information Security groups within the organization that have separate reporting channels to upper Management and/or a Board level Audit Committee. This organizational structure ensures that all security and operational related risks are appropriately addressed and that all internal processes and practices remain in compliance with the organization's defined policies and procedures which in turn should align with applicable external security standards, regulatory laws and payment systems Operating Rules. Internal audits should be performed by an independent Internal Audit group at least quarterly. Issues of non-compliance revealed by these reviews need to be documented and shared with the Management and Audit Committee. Any deviations noted should be addressed timely, and identified gaps followed-up until closed. Payment Processors need to dedicate proper resource to the task of understanding, and complying with all applicable government, industry, association Operating Rules and legal/regulatory requirements that are relevant to each of their operating regions. Such applicable requirements need to be carefully identified, documented, applied, and updated on a regular basis. Policies and procedures should be developed and put into practice that ensure the Payment Processor remains in compliance with these various requirements. Good governance also calls for establishing proper training and awareness programs to communicate important information on security and compliance within the organization. The program should include regular updates that reflect changing policies, rules and regulatory environments. 03 i2cinc.com
Processor Compliance with Laws, Regulations, and Operating Rules Payment Processors' compliance activities need to cover not only the applicable government, industry, association Operating Rules and legal/regulatory requirements pertaining to their operations, but they also need to understand and comply with the applicable rules and regulatory requirements pertaining to their client partners. For example if you process customer data on behalf of a partner whose data is governed by a given regulatory rule, then you as their 3rd party provider must also apply those regulatory rules when handling their data. Processors thus need to work closely with their partners to identify and comply with all such applicable laws and regulations and establish within their organizations internal policies and procedures to ensure compliance with all such requirements. Enterprise Risk Risk management should be incorporated into every Payment Processors' system of governance. Risk management provides a framework for identifying and addressing risks within the organization and provides a process for regular operational review and improvement. An effective risk management process program should adopt an appropriate risk management methodology to identify, evaluate, mitigate and monitor risks pertaining to critical business assets and operations. Defense-in-Depth Security Best Practice Processors need to implement various security and access related controls and safeguards to ensure their networks, systems, and data are adequately secured and protected against internal and external threats and vulnerabilities. Security best practice calls for a defense-in-depth strategy to ensure the protection of information assets and overall risk reduction. A defense-in-depth approach ensures that the failure of any one control does not lead to successful penetration. By thus providing multiple layers of protection, the controls collectively ensure the confidentiality, integrity, and availability of critical system assets and data. This strategy also keeps in mind the need to know and understand the threat landscape and continually modify the security control environment to effectively mitigate the specific risks identified. Public facing applications and user interfaces need to be well tested for vulnerabilities by trained security personnel. Various vulnerability scanning and penetration testing tools are available and recommended. Such scanning and testing should be performed whenever there is a change to the system or application 04 i2cinc.com
or at least semi-annually. OWASP (Open Web Application Security Project) and other security industry resources should always be used to check web applications prior to release to production. These resources and tools help prevent common exploits such as SQL injections, buffer over-flow, cross-site scripting, session hijack, etc. Impact analysis should be performed to identify potential impact of related exploits, and appropriate plans developed to mitigate the risks identified. Corrective and preventive actions should be implemented accordingly. Systems and network teams should regularly maintain patch updates (network, systems, devices, and applications) which should always be tested in a test environment before being scheduled for release production. Data Integrity and Availability To ensure the integrity and high-availability of customer data, Processors should maintain full system and data redundancy across multiple data centers that are geographically dispersed. Such a redundant design can eliminate single points of failure and ensure transparent fail-over capability within each data center as well as across data centers. Transaction data can be replicated in near real-time across data centers should an outage occur, that would allow transaction load to be seamlessly transferred at a moments notice to an alternate data center in a monitored and controlled manner. Additional data protection can be administered through regular ongoing disk image backups that can be electronically replicated to the alternate data center locations. A full redundancy design within each data center should include multiple redundant connections to the Internet and Payment Networks each passing through separate carrier trunks that terminate into redundant high-availability routing equipment at the network edge. Should a telecommunications outage occur on one circuit, immediate and transparent switching between carriers will take place automatically without the need for manual intervention. If one network edge hardware device goes down, its secondary counterpart will take over seamlessly. Each data center should have redundant power service from separate power grids terminating into dual Un-interruptable Power Supplies (UPS), dual power conditioners, and dual Power Distribution Units [PDU] systems. These systems should in turn be backed up by dual site generators. Access Management Access to production networks, systems, and cardholder data should be controlled, restricted and governed by well documented policies and procedures. Any access to the cardholder environment should have controls in place to prevent unauthorized access and to prevent data leakage. Such controls may include firewalls; network (VLAN) segmentation; token-based multi-factor access authentication; controlled terminal access intended to limit the user's ability to transfer data to removable media; and clear-desk, clear-screen policies. 05 i2cinc.com
Event and Activity Monitoring Continual system and network event and activity monitoring is an important safeguard that will help ensure the integrity and availability of Processing services and detect potential unauthorized access attempts real-time. A properly installed and monitored network/host based intrusion detection and prevention systems (IDS/IPS) together with tools that collect and intelligently analyze security and event logs such as a Security Information and Event Monitoring (SIEM) solutions will provide meaningful data on a continual basis for staff to monitor and respond to alert notifications. Restricted access to system and device logs should be maintained. Only independently designated monitoring staff members should be allowed access to these data. File integrity mechanisms should be installed that prevent the erasure of log activity and event data and that detect and report unauthorized access or tampering. Regular activity status reports should be submitted to management from monitoring teams. Incident Response and Reporting Appropriate monitoring and incident response and reporting procedures should be in place, including periodic training and testing to ensure that any security event or outage is properly handled should one occur. In order to ensure prompt and orderly response to security events or outages, incident response and reporting procedures should define potential incident scenarios, alert mechanisms, incident management team members and roles, steps for identification and assessment of the incident, stabilization, chain of custody and evidence preservation, notification of internal Management and external stakeholders, and continued follow-up reporting and notification. For large Processors in particular, monitoring and detection activities should run continually on a 24x7x365 basis using effective tracking, analysis, and automated alert tools. Post-incident root cause analysis should be performed and recorded in a knowledge-base to help avoid similar events in future. Physical and Environmental Controls Payment Processors should establish and maintains appropriate physical and environmental safeguards at its data centers including restricting physical access to authorized individuals. These controls should include automated security access system mechanisms (proximity sensors, multi-factor key-pad and biometric readers, etc.) and should be monitored on a 24x7x365 basis by on-premise security staff. All visitors should be properly logged. Physical entry areas and internal spaces within the data centers should be monitored by surveillance cameras and security personnel should patrol the inner and outer building areas on a regular basis. Real-time monitoring of network operations and infrastructure should be in place to ensures high availability and alignment with expected service levels. The data center facilities should be protected against various physical/environmental events through adequate and effective equipment and facilities such as fire extinguishers, fire detection, fire suppression, 06 i2cinc.com
climate controls, and power management and protection (backup diesel generators, UPS, power conditioners, PDUs, etc.). Disaster Recovery and Business Continuity Payment Processors should establish a well documented business continuity and disaster recovery plan with defined recovery time objectives (RTO) and scenario-based strategies designed to address any type disruption event. Disaster recovery and business continuity teams should be selected and trained on executing the plan. Testing of the DR/BCP plan should be performed at least annually or more often whenever significant changes are made to the operating environment. A business impact analysis should be performed against identified risks with the potential to impact mission critical operations and core business functions. The disaster recovery and business continuity documentation should be reviewed and updated regularly. Data Disposal Payment Processors should adopt and follow proper data retention and disposal procedures. Decommissioned media used to store sensitive information should be cleared of all data stored on it by using secure data erasure tools, and then physically destroyed with proper destruction certification. Papers and CDs should be shredded. Software Development and Change Management Controls For Payment Processors that develop software and technologies as a service to customers, some form of change management controls should be established to minimize potential disruption to normal operations, and preserve system and data integrity. Best practice calls for adopting a System Development Life-Cycle methodology (SDLC) that will help to maintain a structured approach to internal software development and updates. Such a controlled process ensures that all changes are reviewed and approved prior to implementation. Post-implementation monitoring is also a good practice for application and infrastructure changes. The change management process should also include a log and audit trail for tracking details of the changes including what was changed, when, and who made the change. Separation of Duties and Environments Internal controls should be established that ensure proper segregation of duties among staff responsible for handling sensitive client data. Production should be maintained in a separate environment from development and testing environments through use of network VLAN segmentation. A dedicated resource with separate reporting 07 i2cinc.com
structure is recommended as the software promotion gatekeeper, in effect controlling all changes released to the production environment. This group would ideally oversee all production environment changes including IT device configuration changes (may also include version control). They would be responsible for holding all changes until successful testing and proper sign-off and approvals have been verified. Integrity of Personnel To increase staff quality and reduce the potential of a rogue employee abusing their access or authority, background verification checks should be performed on all employees upon hire. Employees should also be required to sign confidentiality agreements. As well, each employee should be required to sign-off and acknowledge their understanding of all company policies including the aforementioned security awareness training. 08 i2cinc.com
i2c, Inc. provides the cloud-based infrastructure financial institutions, corporations, brands and governments need to launch and profitably manage payment and next-generation commerce products. Its global-ready platform encompasses card-based, virtual and mobile payments, loyalty and back office solutions. Headquartered in Silicon Valley, California, i2c supports clients on five continents from six sales and support offices worldwide. www.i2cinc.com