If you’re an independent software vendor (ISV) looking to partner with a payment provider to integrate payments into your software solution - or if you are looking to switch from your current payment provider - you probably have a long list of questions to ask potential partners. Questions about payment security should definitely be at the top of that list. Here are some important security questions to ask your potential payment provider.
1) Do You Assist with PCI Compliance?
PCI compliance is an important part of a payment security strategy, as it can help prevent a costly data breach. Recent research from IBM shows that the average cost of a data breach is $4.24 million USD.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards developed by the PCI Security Standards Council (PCI SSC). The PCI-DSS lists the minimum security standards that must be met in order to limit the chances of a data breach. All entities that store, process, or transmit credit card data are required to maintain PCI DSS compliance.
Ensuring your software meets the requirements to be PCI compliant can be a daunting task, so ISVs should ensure they’re partnering with a payments provider who is well-versed in that area.
Global Payments Integrated has a dedicated PCI team to assist our partners as well as their merchant customers with resources to help them understand and meet their PCI requirements with a minimum of hassle and confusion.
In addition, Global Payments Integrated offers our PCI ASSURE® program for merchants. This program includes:
- Dedicated 24/7 Client Portal - Merchants have 24/7 access to our web-based portal that steps you through the requirements and the necessary Self-Assessment Questionnaire (SAQ).
- SAQ Assistance - All the help you’ll need to complete your SAQ. PCI ASSURE® clients also benefit from a much shorter SAQ, greatly simplifying its completion.
- Network Vulnerability Scans - These comprehensive system scans are designed to find problems in your environment before a compromise occurs. Easy-to-understand reports detail the results and instructions are provided to fix any identified issues.
- Policy Builder - Custom Security Profiles - This online tool creates a set of custom security policies that are automatically generated based on the way you process payment cards, making it easy to comply with the PCI DSS requirement associated with security policies.
- Security Awareness Training - Regardless of your PCI compliance status or processing environment, Global Payments Integrated’s dedicated PCI security team is ready and trained to provide the security assistance you need on an individual client basis.
2) Can You Help Us Render Our Systems and Applications Out-of-Scope?
PCI scoping is defined by the PCI Security Standards Council as a process identifying "all system components, people, and processes to be included in a PCI DSS assessment. The first step of a PCI DSS assessment is to accurately determine the scope of the review."
A business or organization's PCI scope includes all people, processes, and technologies that "touch," interact with, or affect the security of cardholder data. All systems that are “in-scope” - meaning that they interact with or affect cardholder data or systems containing it - must be assessed for their compliance with PCI security standards.
“Out-of-scope” systems are prevented from accessing cardholder data or affecting the security of those components or systems. In order to be considered out-of-scope, each component, software program, person, or network area must not process, store, or transmit cardholder data. It must be separated either physically or technologically from the parts of the network that do handle sensitive data, and this segregation must be complete and impenetrable.
Global Payments Integrated provides exceptional solutions that can help prevent your software from touching cardholder data. By using tokenization and encryption, transactions are handled off-site. Our single API makes it easy to integrate Global Payments Integrated payment technology into your applications. Learn more about reducing PCI scope here.
3) Do You Offer Multiple Types of Security Features?
The best approach to payment security is a multi-pronged approach that uses encryption, tokenization, and more to protect cardholder data and keep sensitive information secure during the payment process.
Global Payments Integrated offers an advanced security services bundle intended to protect credit card data, prevent counterfeit fraud, and enhance payments security. Through a unique collection of complementary security solutions, our security bundle delivers one of the industry’s most secure payments platforms while enabling developers and merchants for EMV®. When integrated into systems that accept payments, the bundle protects credit card data while at rest and in transit. It includes:
- Encryption - Global Payments Integrated’s proprietary encryption is designed to render cardholder data unreadable, encrypted at the device. Merchants are unable to view card numbers after the swipe or hand-key.
- Tokenization - Based on this technology, cardholder data is replaced by a unique digital string of characters called a token. Sensitive data is stored in the secure Global Payments Integrated vault rather than in the merchant environment.
- EMV® - EMV® technology protects card issuers, merchants, and consumers from losses due to the use of counterfeit and stolen payment cards at the point-of-sale. EMV® chip cards are embedded with a chip that interacts with a merchant’s point-of-sale device, ensuring the card is authentic and belongs to the user.
- QIRTM ASSIST - For developers who wish to pursue QIR certification, Global Payments Integrated offers QIRTM ASSIST, a support program to get your staff certified and ensure you have access to payments security best practices.
Facilitating payment security can be a complex task, so ISVs need to choose a payments partner who is well-versed in the many different aspects of payment security. Contact us today to learn more about how we can help you with integrated payment security.
EMV® is a registered trademark or trademark of EMVCo LLC in the United States and other countries. www.emvco.com.
Qualified Integrators and Resellers (QIRTM) is a trademark of PCI Security Standards Council.