Assessing Security Risks in Third-party Payment Processing
3 min read
Managing financial information is a dangerous business, and the past year has been marked by a number of significant data breaches. Large companies with the money and power to best protect credit information, such as Target, Home Depot, and Urban Outfitters, have all been affected, leaving smaller companies with less robust security infrastructure feeling like a breach is bound to occur, posing a risk to their customers.
Financial data management does not need to be this stressful. Many of these smaller businesses, however, rely on third-party companies to perform their payment processing and data management, further complicating risk assessment. Here are some issues to consider when dealing with external payment management for your business.
Keeping Networks Separate
One of the greatest problems that data security professionals are encountering today is that networks and servers are increasingly interlinked. These connections make outside infiltration easier than ever, as the links between the private and the public become more numerous. Information thieves are now just a link away from confidential information.
Your payment management company is responsible for making sure that these kinds of connections are minimized, and that those links that do exist are appropriately protected. Ask your third-party provider how they handle network privacy. This includes asking questions about employees’ use of mobile technology in the workplace that could pose a security issue.
Assessing Public Relations
A look at your digital security management company’s public relations (PR) practices could prove very revealing. How does the PR branch of the company talk about security breaches? For many PR offices, any information breach affecting fewer than 10 million people is small. If this kind of minimizing is happening on a regular basis, you may want to turn to a different company to handle your customers’ data.
Categories Are Valuable
Running a business means balancing an array of concerns and connections. So, while you should be extra concerned about the security procedures of any company handling sensitive information, there are other factors to be considered. One system for managing security issues is to rank different companies by risk level. What kind of data are they handling and what is their reputation? Companies with greater risk can be placed under more significant observation and should have their practices audited more frequently.
Reconsider Vulnerability Management
Does your third-party payment manager use an automated vulnerability management system to protect their data? As Gordon Mackay points out, these systems can lull companies into a false sense of security and can be an unwise use of resources. Steer clear of companies using these systems in favor of those that take a more active approach to handling data. Poorly functioning vulnerability management software has been behind a number of breaches, making it far more costly than most realize.
Pay Attention to Staffing
There is a serious shortage of great Internet and data security professionals on the market today. Does the external company doing your payment management employ enough of the best minds out there? And does your third-party company do appropriate background checks on those employees? It is important that you do not just have a single link with a company representative, but rather that you understand the larger atmosphere of the company. Know who is handling your data.
While third-party payment management is often the best solution for small businesses, that does not mean you can take a backseat and leave the whole project up to them. Business owners should always be proactive in their relationships with any company handling sensitive information. Be vigilant about breaches and take responsibility for your data, even when it is not in your hands.
Larry Alton
Freelance writer
[ISACA Now Blog]
English