Payment solution companies face mounting pressure to remain compliant and current with other standards even as these standards are in flux. Read about how AWS can help.
Payments companies handle sensitive customer data, putting them under pressure to remain compliant, secure, and safe from fraud. On the other hand, that data can unlock immense business value. Finding the most efficient way to unlock that business value is on the minds of leadership teams at most payments organizations today. The regulatory environment is shifting toward open banking, driving organizations to adapt to the current landscape and remain flexible in how they process and store data. As a result, leveraging cloud architecture has become an appealing solution to keep payments solutions compliant and agile.
As payments companies continuously adapt to in-flux requirements, regulations, and trends, maintaining systems that are agile enough to handle rapid changes has become a burden. Many payments organizations have data centers outside of the geographic region where data is stored, making it difficult to comply with regional regulations. Given the intensity of the regulatory environment, payments companies must be able to change and comply rapidly, in as little as months.
Upgrading or overhauling legacy systems is an expensive undertaking. Leadership is often under pressure to keep the total cost of ownership (TCO) low while also ensuring that operations remain efficient, resilient, and agile. This becomes a tall order as systems that handle sensitive financial data are heavily targeted by cybercriminals looking for vulnerabilities to exploit. Not only must payments organizations abide by Payment Card Industry Data Security Standard (PCI DSS), but they need to ensure that transactions remain secure in the eyes of customers.
These pressures can be difficult to address with monolithic legacy systems that are slow to adapt. Partnering a cloud provider like Amazon Web Services (AWS) to develop applications has proven to be a cost-effective, efficient, and future-proof solution to modernizing payments operations.
On its website, AWS offers up a case study of how one of its AWS Partner Network Premier Consulting Partner and Managed Service Provider (MSP) (with the AWS Financial Services Competency) was able to leverage AWS to create an application that was able to address some challenges faced by one of its financial customers -- a global credit card provider whose data centers existed outside of the geographic region where data was being stored and needed a way to comply with regulatory requirements.
According to AWS, the customer primarily needed:
Compliance was a major concern for this customer, and the AWS partner was able to address all concerns and ensure that the application and architecture were PCI DSS compliant.
The client was able to build and maintain a secure network and systems where data was secured in the cloud via a firewall that lived around AWS resources. Access was restricted to and from restricted VLAN in the client’s office with strict governance in play around the client’s and AWS’s firewall rules. Additionally, the client implemented an access password rotation policy.
Encryption was used for cardholder data both at rest and in motion. Non-reversible hash keys masked at rest PCI data. The client also implemented zero-touch security key creation to remove vulnerabilities attached to human intervention. The solution also tapped Cloudflare’s WAF to scan and secure data that transmits to open, public networks.
The solution called for deployment of a comprehensive vulnerability management program and included a periodic internal and external vulnerability scan, anti-virus definition file updates, and penetration testing to protect against malware.
Regular security patches were used to keep all components up-to-date and parts of the program were automated via a continuous integration and continuous deployment (CI/CD) pipeline, which administered code reviews and Open Web Application Security Project (OWASP) coding guidelines.
The client implemented strong access control measures using need to know restrictions for authorization to access cardholder data. Systems accessing data were granted virtual access for a limited time only. All access requests were authenticated, authorized, and logged for audit trails (including actions taken). Multi-Factor Authentication (MFA) was employed along with strict password rules and rotation policies.
Networks were regularly monitored and tested to ensure that the application abided by restrictions around data download and physical access to data on AWS.
Wireless, printer, mail, and instant messaging access were all disabled on the system that accesses cardholder data, and traffic from that system was restricted to AWS and the host application.
Where security and PCI compliance is concerned, payments companies have no wiggle room for failure. For those still operating on legacy systems, this is especially pertinent. Traditional systems tend to lag in terms of agility and cost efficiency, and payments companies should be seeking to upgrade or overhaul these systems in favor of those that have better ease of operationalization.
On-demand cloud services not only streamline a company’s ability to remain PCI-compliant, but enables it to build systems incrementally and repeatably. Building an application on AWS that complies with PCI DSS security standards can provide an organization with architecture that is both reliable and secure and that solves for all functional and non-functional regulatory requirements.