The New Normal: The Expanding Role of Technology Providers in Payment Processing Pete S. Johnson

Transition

Introduction of disruptive technologies Retail focus on in-store experience

and moving away from the traditional point of sale

Growing acknowledgment by financial institutions that purchasing habits are changing; increasing comfort with role of technology

Recent Market Trends Affecting Role of Technology Providers

Brick and Mortar eCommerce Mobile

Commerce

Hypothetical Transaction

Assumptions: Entire transaction will occur in the United States; Point of Sale Solutions Provider utilizes Cloud Provider to host web-based application that provides payment processing, inventory management and other functionalities.

Consumer

Merchant

$ Issuing Bank

Point of Sale Service Provider

Cloud

Payment Network

Acquirer/Processor

Primary Players DATA DATA

DATA

DA

TA

DATA

AUTH/$$

DATA

AUTH/$$

AUT

H/$

$

AUTH/$$ AUTH/$$

Importance of Due Diligence How will data flow end-to-end? Which parties will have

access to payment credentials and transaction data?

At which points will data be encrypted?

Will any party that accesses, processes or stores payment data subcontract relevant services?

Will a public cloud or private cloud be used to host the Point of Sale Solution Provider’s system?

Practice Tip: Request a diagram of the end-to-end process from your business client (or prepare one yourself if necessary)

Key Considerations for Agreement (and Product Development) How will the Point of Sale Solution Provider and its Cloud Provider demonstrate that they have sufficient controls and safeguards in place to protect payment data?

What legal, regulatory and industry regimes and standards apply to the Point of Sale Solution Provider and its Cloud Provider?

What kinds of ongoing testing may be required of the Point of Sale Solution Provider and its Cloud Provider?

How will the parties verify that the Point of Sale Solution Provider maintains sufficient controls/safeguards and compliance?

Methods for Demonstrating Sufficiency of Controls and Safeguards

PCI Compliance

PCI DSS Report on Compliance and Attestation of Compliance

PA DSS Report on Validation an Attestation of Validation

Compliance with ISO 27001 and 27002

ISO 27001 – Information Technology – Security Techniques – Requirements – Ex. Segregation of duties ISO 27002 – Information Technology – Security Techniques – Code of Practice

Requires internal testing and self-certification

SSAE-16 Type II/ISAE 3402 (International)

Tests participant’s internal controls against established standards

Typically results in a report that is often requested of service providers

ISO 22307 Privacy Impact Assessment

Internal test against privacy standards and compliance with company’s privacy policy

Legal, Regulatory and Industry Regimes and Standards

Payment Network Rules

Obligation typically imposed by merchant acquirer or processor

PCI DSS; PA DSS; Payment Network Security Programs (CISP + SDP)

Gramm-Leach-Bliley (GLB)

Requires implementation of reasonable “administrative, technical and physical safeguards”

Applies to entities engaged in “financial activities” and compliance will generally be contractually required for parties providing services to those entities

Interagency Guidelines Establishing Customer Information Safeguards

Adopted by primary agencies overseeing financial institutions (Federal Reserve, FDIC, OCC)

Requires entities subject to agencies’ supervision to adopt written information security programs and provides standards and requirements for those programs

Provides guidance for cloud service providers

Legal, Regulatory and Industry Regimes and Standards (cont.)

FFIEC Cloud Computing Guidance

Prepared by Federal Financial Institutions Examination Council (FFIEC), which includes representation from primary agencies overseeing financial institutions, the new Consumer Financial Protection Bureau and state agencies

FFIEC has authority to audit service providers to financial institutions

Open Web Application Security Program (OWASP)

Open Web Application Security Project is a non-profit organization established to create standards for the security of software applications

Compliance with OWASP “Top 10” often required of application providers by financial institutions and others

State data security/data breach laws

Common Ongoing Testing Requirements

Periodic PCI and ISO certifications and reports

Regular penetration testing

(internal or by independent vendor qualified under PCI ASV)

Regular vulnerability and

threat assessment (VTA) testing

Independent Verification of Compliance

Standard contractual audit rights

Payment network audits Regulatory audits Independent audit of PCI

and ISO compliance and related reports

SSAE-16 Type 2 reports by independent auditors

Trends on the Horizon (that may reshape the landscape…again)

Tokenization of payment credentials – Clearinghouse Initiative – Payment Network Initiative

Increasing use of proxy credentials to limit number of players who touch payment credentials (e.g. PayPal mobile model)

Cost/benefit analysis of compliance with established standards

Questions?

? ? ? ? ? ? ? ? ?

Thank you

Peter S. Johnson Partner peterjohnson@dwt.com 206.757.8072