May 31, 2023 at 9:52am

This series, “Just the FACs,” tracks the development and progression of ISVs and PayFacs. Part 1 charted PayFac’s evolution from “fast onboarding for ISOs” to more nuanced, vertically focused, customizable solutions. In Part 2, experts examine innovative new approaches to protecting and enhancing the customer and partner experience by making security the cornerstone of PayFac solutions.

At the recently concluded TRANSACT, security analysts who participated foresee PayFac’s potential to promote secure commerce while maintaining user-friendly interfaces. Each explained how PayFacs leverage advanced technologies locally and in the cloud to maintain compliance and bolster security.

Cloud, AI, Automation Trifecta
Troy Leach, Chief Strategy Officer at the Cloud Security Alliance, cited SaaS-based offerings, automation, and AI as notable trends that simplify and strengthen compliance.

“The world of payments is moving much quicker today than just a few years ago,” he said. “Exciting to see what is ahead for the industry as it quickly evolves and leverages these giant steps in technology.”

Leach has also seen greater use of artificial intelligence to offer smarter and more customized solutions that build security and compliance into solution design. This includes a growing number of business use cases for ChatGPT and Google’s Bard, he said, that demonstrate the potential of AI to simplify our lives and identify more practical, efficient approaches to security.

By leveraging cloud computing, companies can confidently create secure profiles, Leach noted, and once they create a secure profile, they can deploy it a thousand times, knowing it will remain consistent and secure. That’s the beauty of scaling as a PayFac-as-a-Service, he added, because you save time onboarding new clients while replicating the same compliant configuration every time without having any concerns about your system’s capacity.

“Payment Facilitators are learning quickly how to enable the many benefits of dynamic security that comes with ‘as-a-service’ cloud computing,” he said. “Traditional banking and legacy technology often would require more manual involvement and cost to make security changes.”

Leach cautioned ISVs and PayFacs that outsourcing services doesn’t mean shifting responsibility for compliance to third parties. A Shared Security Responsibility Model (SSRM), with assigned roles and responsibilities, will hold both company and service provider accountable, he stated, and it’s equally important for both parties to demonstrate security and compliance on demand, whenever requested.

“PayFacs must be very aware of the responsibility they have for their merchants and also the increased scrutiny from regulators all over the world to assure they are also accountable for the protection of customer data,” he said. “The good news is many cloud service providers (CSP) partners that offer software or platforms are becoming very knowledgeable in financial service compliance and are hiring security experts from the financial service industry to lead groups dedicated to solving regulatory issues to which their customers must adhere.”

Defense in Depth
Brent Johnson, CISO at Bluefin, advised companies to work with PayFac partners and cloud service providers to protect data when embedding payments into applications and moving services to the cloud. Where appropriate, consider a Defense in Depth approach, he added, that uses multiple measures to protect an organization’s assets.

“Items such as web application firewalls, stateful firewalls, endpoint protection services like Crowdstrike, Intrusion Detection and Prevention, multifactor authenticated access, encryption, and tokenization [are needed],” he said. “Also, consider a zero-trust security framework by requiring all users to be authenticated, authorized, and continuously validated before a user is granted access. Since over 80 percent of attacks involve credential misuse, this approach brings greater integrity to the systems.”

Johnson explained that employee training is also critical to protect against phishing, spear-phishing, smishing, and other schemes designed to get employees to take actions that compromise their connected devices. Once compromised, these devices enable attackers to gain control of a company’s network and data.

Leverage PayFac Expertise
PayFacs can help companies implement comprehensive cybersecurity strategies that Johnson said can monitor assets and provide real-time analysis and alerting. In addition, properly tuned endpoint protection systems can alert, contain, and mitigate anomalous behavior.

Emphasizing the need to implement vendor software updates that patch vulnerabilities as they arise, Johnson said PayFac partners can help enterprises keep systems patched to reduce their exploit surfaces. In addition, he noted that encrypting and tokenizing cardholder data and PII data will devalue the data in the event of a breach.

“Companies should make encrypted backups of data daily and ensure a copy of this encrypted data is stored offsite,” Johnson said. “Encrypting data and keeping a daily copy of that data offsite provides the opportunity to rebuild and recover from a ransomware attack.”

Simplify Security Compliance
Johnson acknowledged that compliance can be challenging and offered the following advice:

  • Build a solid security infrastructure: Programs built on a foundation of industry best practices require less drastic modifications as standards mature and evolve. However, these programs require dedicated workers, periodic in-house assessments, and regular third-party audits.
  • Get management buy-in: Programs supported by senior management, with appropriate investment and resources, have greater potential for success.
  • Stay actively involved: Programs that engage stakeholders through conferences, calls, and discussions on new standards will help employees and third-party providers maintain compliance and security best practices.

Build Security-First Partnerships
Sully Perella, Senior Manager at Schellman, observed that PayFac partners can help enterprise-level clients and small and nano merchant channels achieve security compliance.

“The good side of this scenario is that most infrastructures support the necessary segmentation to keep individual clients apart and the scalability that enables them to meet demand for larger clients as they grow,” he said. “The difficult side of this is management from both an access control and logging in perspective.”

Perella said that in the former scenario, PayFac partners must carefully architect their solutions with credential management that does not allow one-to-many attacks, in which one compromise leads to multiple entities being compromised.

In the latter scenario, when designing access control and permission levels, Perella noted that a PayFac partner must either provide monitoring capabilities as part of their offering or enable the client to perform these actions independently.

When reflecting on common misconceptions about security and compliance among ISVs, merchants, and service providers, Perella recommended that all parties perform due diligence to align their interests and objectives.

“Before engaging with a partner, organizations need to be thorough to align the services sought with the language of the contract,” he said, adding that security and compliance are dynamic and what is considered both secure and compliant today may not be in six months.

“Organizations must remain diligent in maintaining their environments,” he said. “From social engineering attacks to zero-day attacks, our community needs to communicate clearly between ISVs, merchants, and service providers to inform each other of vulnerabilities and exploits and the questions surrounding new technologies and offerings. The shiny new thing may make transactions easier but does not necessarily dissipate risk.”

Dale S. Laszig is a payments industry journalist and guest columnist for Payfactory. Previous to her writing career, she managed business development for leading payments acquirers and POS manufacturers. Connect with her at [email protected]LinkedIn and Twitter.