01 October 2014

44975

Retired Member

602 | posts 1,875,858 | views 726 | comments

Are your payment systems safe and secure? Product selection

28 January 2014  |  3291 views  |  0

In my earlier post around security we hovered around payment security aspects and the importance of security standards like PCI DSS to your payment systems. We can now look into the specific challenge of product selection, if you are a CIO/CTO looking to upgrade or implement a new solution to meet your business needs then security and associated certification should be a critical parameter during your product evaluation and selection process.

So how does one go about making a decision on product selection while ensuring the integrity of your payment ecosystem? 

Assuming you have already made your build or buy decision and chosen to buy and are now discovering the right product, what happens now? 

Off the shelf products that are already security certified (for e.g PA DSS) is a good way to start your discovery process. Let’s say you are looking for a card management or mobile payment system that would work in real time to authorize and process transactions; or even a reconciliation system that would take end of day feeds and process reports, they are all bound to hook into various parts of your existing payment ecosystem.So how does one go about the process?

While I cannot unravel all the parameters I would like to touch upon a couple of critical ones.

“Product fitment” - Ideally the product selected should fit all of the mandatory business requirements of your target system, i.e minimum gap to bridge before go to market else you risk spending time and money bridging between the product and your business requirements resulting in auditing and re-certification of end product. The key is to ensure that you follow specific security accreditation guidelines, e.g. if you are looking to have a PA-DSS certified product then you need to ensure that as part of your evaluation the delta customization that you would make on the solution does not change the core of the product, and that whatever change you build on the core can be swiftly certified.

Another important point to note is “Architecture” of the target system. Over the last decade a lot of ground work has been done in putting together loosely coupled frameworks that help modularize the product construction and solution building, providing quick to market capabilities to the business. This essentially means that the core of these new age systems tend to have a lean foot print providing for interfaces and handlers to be put together using SDKs (all getting a bit technical now!). Simply put, you need to review the architecture of the selected system and how it stacks up against certification guidelines that you are aiming for.

The solution is in performing a thorough due diligence during vendor and product selection, it is no longer just about technology and cost but about creating a “secure payment ecosystem”. This calls for putting together organization specific diligence frameworks & product selection process that takes into account measures of security & regulatory requirements. This should help avoid unnecessary heart breaks and not mention cost escalations.

TagsSecurityPayments

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Retired

7-day account switch: customer empowerment or indifference

18 June 2014  |  1805 views  |  1  |  Recommends 0 TagsRisk & regulationRetail banking

On Reinventing Money.

03 June 2014  |  1214 views  |  0  |  Recommends 0 TagsPaymentsInnovation

Trading System Failures Cannot Be Our Norm

21 May 2014  |  1449 views  |  0  |  Recommends 0 TagsRisk & regulationInnovation

Are challenger banks a force to be reckoned with?

07 May 2014  |  938 views  |  1  |  Recommends 1

UK account switching gathers pace

24 April 2014  |  2307 views  |  0  |  Recommends 0 TagsRetail bankingTransaction bankingGroupElectronic Bank Account Management
name

Retired Member

job title

company name

member since

2014

location

Summary profile See full profile »

Retired's expertise

What Retired reads
Retired writes about

Who is commenting on Retired's posts

Rasvan Stanescu
Sian Bentley
Tony Wenzel
Jorge Yui
Ketharaman Swaminathan
Mark Pavan
Vishal Chaturvedi
Matt Scott
Geoffrey Barraclough
Thad Peterson
Marinka Ryan
Alexander Peschkoff