Transaction Trends, the official publication of the Electronic Transactions Association (ETA), has delivered “Just the FACs”, a fascinating and insightful series that tracks the development and progression of ISVs and PayFacs. With insights from industry experts, the series offers innovative new approaches to protecting and enhancing the customer and partner experience by making security the cornerstone of PayFac solutions.
Bluefin’s Brent Johnson, CISSP, CISA, CDPSE, CIPP/E advised companies to collaborate with PayFac partners and cloud service providers to protect data when embedding payments into applications and migrating services to the cloud – a “Defense in Depth” approach to security that uses multiple measures to protect an organization’s assets.
“Items such as web application firewalls, stateful firewalls, endpoint protection services like Crowdstrike, Intrusion Detection and Prevention, multifactor authenticated access, encryption, and tokenization [are needed],” he said. “Also, consider a zero-trust security framework by requiring all users to be authenticated, authorized, and continuously validated before a user is granted access. Since over 80 percent of attacks involve credential misuse, this approach brings greater integrity to the systems.”
Johnson explained that employee training is also critical to protect against phishing, spear-phishing, smishing, and other schemes designed to get employees to take actions that compromise their connected devices. Once compromised, these devices enable attackers to gain control of a company’s network and data.
PayFacs can help companies implement comprehensive cybersecurity strategies that Johnson said can monitor assets and provide real-time analysis and alerting. In addition, properly tuned endpoint protection systems can alert, contain, and mitigate anomalous behavior.
Emphasizing the need to implement vendor software updates that patch vulnerabilities as they arise, Johnson said PayFac partners can help enterprises keep systems patched to reduce their exploit surfaces. In addition, he noted that encrypting and tokenizing cardholder data and PII data will devalue the data in the event of a breach.
“Companies should make encrypted backups of data daily and ensure a copy of this encrypted data is stored offsite,” Johnson said. “Encrypting data and keeping a daily copy of that data offsite provides the opportunity to rebuild and recover from a ransomware attack.”
Gain more insight from Brent Johnson and other thought leaders on how you can secure your business with PayFac 2.0.