Payment solution companies face mounting pressure to remain compliant and current with other standards, even as these standards are in flux. Read about how AWS can help.
Payments companies handle sensitive customer data, putting them under pressure to remain compliant, secure, and safe from fraud. On the other hand, data can unlock immense business value. Finding the most efficient way to unlock that business value is on the minds of leadership teams at most payment organizations today. The regulatory environment is shifting toward open banking, driving organizations to adapt to the current landscape and remain flexible in how they process and store data. As a result, leveraging cloud architecture has become an appealing solution to keep payment solutions compliant and agile.
As payments companies continuously adapt to in-flux requirements, regulations, and trends, maintaining systems that are agile enough to handle rapid changes has become a burden. Many payment organizations have data centers outside the geographic region, where data is stored, making it difficult to comply with regional regulations. Given the intensity of the regulatory environment, payments companies must be able to change and comply rapidly, in as little as a few months.
Upgrading or overhauling legacy systems is an expensive undertaking. Leadership is often under pressure to keep the total cost of ownership (TCO) low while also ensuring that operations remain efficient, resilient, and agile. This becomes a tall order as systems that handle sensitive financial data are heavily targeted by cybercriminals looking for vulnerabilities to exploit. Not only must payment organizations abide by Payment Card Industry Data Security Standard (PCI DSS), but they need to ensure that transactions remain secure in the eyes of customers.
These pressures can be difficult to address with monolithic legacy systems that are slow to adapt. Partnering with a cloud provider like Amazon Web Services (AWS) to develop applications has proven to be a cost-effective, efficient, and future-proof solution to modernizing payments operations.
On its website, AWS offers up a case study of how one of its AWS Partner Network Premier Consulting Partner and Managed Service Provider (MSP) (with the AWS Financial Services Competency) was able to leverage AWS to create an application that was able to address some challenges faced by one of its financial customers. AWS’ customer is a global credit card provider whose data centers existed outside of the geographic region where data was being stored and needed a way to comply with regulatory requirements.
According to AWS, the customer primarily needed:
Compliance was a major concern for this customer, and the AWS partner was able to address all concerns and ensure that the application and architecture were PCI DSS compliant.
Secure Network and Systems
The client was able to build and maintain a secure network and systems where data was secured in the cloud via a firewall that lived around AWS resources. Access was restricted to and from a restricted VLAN in the client’s office, with strict governance in play around the client’s and AWS’ firewall rules. Additionally, the client implemented an access password rotation policy.
Protecting Cardholder Data
Encryption was used for cardholder data both at rest and in motion. Non-reversible hash keys masked at rest PCI data. The client also implemented zero-touch security key creation to remove vulnerabilities attached to human intervention. The solution also tapped Cloudflare’s WAF to scan and secure data that transmits to open public networks.
Vulnerability Management Program
The solution called for the deployment of a comprehensive vulnerability management program and included a periodic internal and external vulnerability scan, anti-virus definition file updates, and penetration testing to protect against malware.
Regular security patches were used to keep all components up-to-date, and parts of the program were automated via a continuous integration and continuous deployment (CI/CD) pipeline. Which also administered code reviews and Open Web Application Security Project (OWASP) coding guidelines.
The client implemented strong access control measures using need-to-know restrictions for authorization to access cardholder data. Systems accessing data were granted virtual access for a limited time only. All-access requests were authenticated, authorized, and logged for audit trails (including actions taken). Multi-Factor Authentication (MFA) was employed along with strict password rules and rotation policies.
Monitoring and Testing
Networks were regularly monitored and tested to ensure that the application abided by restrictions around data download and physical access to data on AWS.
Wireless, printer, mail, and instant messaging access were all disabled on the system that accesses cardholder data, and traffic from that system was restricted to AWS and the host application.
Where security and PCI compliance are concerned, payment companies have no wiggle room for failure. For those still operating on legacy systems, this is especially pertinent. Traditional systems tend to lag in terms of agility and cost efficiency. Hence, payment companies should be seeking to upgrade or overhaul these systems in favor of those that have better ease of operationalization.
On-demand cloud services not only streamline a company’s ability to remain PCI-compliant but also enable it to build systems incrementally and repeatedly. Building an application on AWS that complies with PCI DSS security standards can provide an organization with an architecture that is both reliable and secure as well as solves all functional and non-functional regulatory requirements.
Get in touch with us to know how you can leverage the cloud to build secure payment solutions.
We’re giving you a fresh dose of insights, perspectives and the latest trends from the world of payments.