Payments services: Five key technology questions you need to consider

Whether you're applying for authorisation as a payment or e-money institution, or just registering as an account information provider, there are certain PSD2 guidelines you must ensure you have follow. Here is our top five technology questions you need to be asking:
 
1. Does my security policy cover all the right areas?
 
The traditional security policy is about spelling out what the people at the top expect of the rest of the business (e.g. passwords will be suitably complex). However, in the context of PSD2, this requirement goes beyond what you would typically find in a traditional security policy document. For example, there is a requirement for you to provide a detailed risk assessment of the services offered. We often find a common omission here around third party support companies – you need to make sure they are reputable and don’t present unwanted additional risks to your business. So, even if you already have a security policy it is worth confirming if it meets these additional requirements.
 
2. How am I going to monitor for security incidents?
 
Can you monitor everything in detail all of the time? Probably not. The key to monitoring is to understand your 'crown jewels', and subsequently the bits of technology that they sit on and are protected by. As you get further out to the periphery, the logging and monitoring needs can be reduced. There are many different tools for security monitoring; some cheap, and some expensive. You can even get someone else to do it for you if you don’t want to get woken up at 3am with an alert that your firewall suspects something fishy is going on!
 
3. What will I do when there is a security incident, and how will I make sure it doesn’t happen again?
 
The systems have been hacked, so what do you do?! Well hopefully you've made plans, as this is the key to handling any security incident. You need a prepared team that includes someone who is authorised to make the tough business decisions, spend cash and talk to the outside world, someone that can manage the incident and report back to management, and finally those at the front line who are trying to figure out what happened and how to fix it.
 
The details of those individuals should be in an incident response plan along with other useful information. Every incident is different but they do follow common themes - which is why playbooks are helpful. It all means you get back on track quicker. Finally, post-incident, when everyone breathes a sigh of relief, is the perfect time to ask what could we have done better.
 
4. I will be looking after sensitive payment data, how am I making sure it stays safe?
 
Sensitive payment data is defined as data that includes personalised security credentials which can be used to carry out online fraud. This is a depressing definition but makes it clear that this is the kind of information you want to keep safe.
 
Encryption plays big part in looking after this data, including how you store it and how it gets sent over the 'wire'. This information will be one of your 'crown jewels' so will need careful monitoring in place and all the appropriate policies and procedures.
 
5. After a serious incident, how am I going to get  the business back online?
 
Understanding the key technology aspects of your business means you know the minimum that you need to keep the business running. This is what you need to restore, or recover, in the event that everything goes wrong. You need to consider how quickly you want it back: seconds, minutes or days? Finally how much data are you willing to lose?  There are cost implications to these decisions so it needs to be carefully risk assessed.
 
Disasters, although rare, can take on many forms and you should consider a variety of possibilities including the inability to gain access to the office and the loss of key personnel. Above all you should test your recovery plans - they will never work perfectly, but the nearer you can get to perfection the better!
 
How we can help
Our Payments group consists of a multi-disciplinary team of specialist who provide bespoke advice to banks, payments providers and e-money institutions helping to manage risk, address regulatory needs and thrive in the evolving payments market.
 
If you would like more information on how to address the technology issues associated with PSD2, please contact our team.

Leave a comment

 Security code