Security & compliance in 2018: Same definition, evolving approach

By James Edgar, Senior Vice President & Chief Information Security Officer, FLEETCOR.

What do security and compliance mean in B2B payments today? Fundamentally, they represent what they always have – protecting customer data, meeting regulatory and industry requirements and being prepared for the unexpected. But as new technologies, digital transformations and mobile trends reshape how businesses operate, the act of successfully executing those three functions becomes more intricate. In parallel with an evolving world, the means of effectively achieving security and compliance are changing. Remaining on the leading edge calls for B2B payments companies to redefine the steps taken to protect customer data, the scope employed to ensure compliance and the measures established to stay prepared for whatever the future brings.

Customer Data Protection

Last year, a data breach experienced by Equifax dominated headlines, with the personal information of over 145 million people being stolen. The fact that a breach of such magnitude happened recently – as opposed to during the years before cybersecurity even became a top priority – further highlights why the approach to even the most obvious best practices should always be evolving.

At a high-level, this starts with forging a globalized and standardized approach to data security. It is critical for businesses to ensure their standards and processes when it comes to securing sensitive data is uniform throughout their operation. Gaps created by mixed or siloed approaches to protecting customer information on local, regional or national levels can weaken overall defenses and create vulnerabilities. A standardized system eliminates any lack of consistency throughout an organization, providing a firm base that can be efficiently and uniformly updated as security needs evolve.

From there, it’s vital to establish administrative, technical and physical measures that ensure the confidentiality, integrity and accessibility of customer data. This means the handling of credit card data and additional sensitive information meets or exceeds industry and regulatory requirements. Data must be stored, transmitted and processed in line with industry standards, employing best practices such as file integrity monitoring, data encryption at rest and in motion, secure configuration management of systems and data loss prevention controls. Companies should also deliver defense in depth – folding a layered approach to malware defense into their security function. This calls for technical controls implemented at both the network perimeter and at the host level; such as firewalls, anti-virus, security event monitoring, data loss prevention tools, data encryption, etc.

These days, people can do quite a bit from any location as long as they have an Internet connection and a laptop, mobile phone or other device. So whether its employees, partners or otherwise, companies are seeing their networks increasingly accessed by remote devices, making the importance of strong endpoint protection significant. Therefore, a robust anti-virus function, a host-based firewall and powerful intrusion prevention and hard disk encryption capabilities are valuable elements to embrace, particularly for commercial payments businesses operating in a world of on-the-go professionals. Companies should also deploy advanced persistent threat (APT) protection agents to all critical network endpoints to help complement the detection and elimination of new malware threats. From a customer-facing standpoint, companies should leverage web application firewalls (WAF) with applications used by clients as an additional means of defense against cyberattacks.

Fully securing customer data also calls for securing the systems and services processing that data. That means utilizing next-generation, enterprise-class firewalls at all network ingress and egress points and monitoring intrusion prevention systems around the clock, among other various network access controls. Additionally, employing the principle of least privilege access – so personnel are only provided authorized access to sensitive systems and files on a need-to-know basis – helps prevent unauthorized logical access. For data centers and offices, companies should employ extensive physical security controls that protect their facilities and information assets, such as video surveillance, dedicated security staff on premises 24/7 and card readers restricting physical access to authorized personnel only.

Of course, the human factor of the equation is hugely significant for customer data protection. For all the security that technology enables, the people administering and overseeing things play a quiet yet supremely critical role in preserving a high standard of protection. In the B2B payments business, companies must have dedicated staff that can prevent, detect and investigate fraudulent transactions and treat the maintenance of those teams as an ongoing investment.

Achieving Compliance

The regulatory landscape for B2B payments can be an intricate one to navigate, especially considering the sensitive nature of the data associated with fund transfers. That landscape grows even more complex as companies manage their payments across states, regions and countries – with each having its own specific set of compliance requirements and standards.

The ability to meet the full spectrum of compliance needs across a variety of markets and industries is a critical one for B2B payments organizations, particularly as the Internet and new technologies increasingly eliminate geographic barriers to doing business. Therefore, first and foremost, B2B payments companies should aim to build a global, overarching system for compliance. Establishing controls that form a foundation for compliance across multiple industry and regulatory standards can help a company efficiently react to changes in requirements – while ensuring their customers’ payment functions never miss a beat across their global presence. When looking closer at the operational infrastructure for the compliance function, it’s also vital for companies to ensure their internal processes are modeled in alignment with requirements. This ensures they are streamlined as opposed to being slowed down or complicated when having to accommodate for changing compliance needs.

Lastly, effectively achieving compliance in territories all over the world is much easier said than done – which is why staff resources play an instrumental role. Having a robust human component to a compliance program calls for multifaceted, multilingual team members familiar with different areas and their requirements, That team must also be savvy at integrating their knowledge and expertise with the broader operation to maintain the highest caliber of compliance. While it’s no small undertaking, cultivating talented global staff resources – capable of harmonizing a vast, diverse set of skills and understanding for large scale compliance – can prove very worthwhile for customers served by B2B payments companies.

Bolstering Preparedness

Among all the best practices for security and compliance in commercial payments, one of the most important is to treat these functions as living, breathing entities requiring constant care and attention. To be prepared for whatever the future throws their way, B2B payments providers should strive for strong adaptability and scalability, as a means to best serve their customers.

To achieve this from a security standpoint, frequent evaluation should be paramount. Given the nature of information handled by B2B payments businesses, the need for their data security function to stay on its toes is crucial. Therefore, undergoing periodic risk assessments is key. Companies should leverage a variety of vulnerability assessment tools to perform routine scheduled scans of internal and external networks and critical applications. The IT security personnel should examine, remedy and track vulnerabilities to ensure they are eliminated in a timely manner.

Furthermore, that team must be trained, educated and augmented as needed on an ongoing basis. The same goes for staff supporting compliance functions across a company’s operation. By investing in the maintenance and growth of the human components in security and compliance, a company can consistently secure its place at the forefront of industry best practices and addressing emerging trends or challenges. This is especially important in light of talent shortages in security and compliance. A B2B payments business that can upskill its internal talent, keep them engaged and regularly trained gains a major advantage over its competitors, while also benefitting from minimized human error. A formidable, constantly improving team is essential for having an up-to-date understanding of the evolving threat landscape and the moving pieces for compliance – and helps commercial payments companies support and advise customers with confidence. After that, further fortification comes in the form of third-party organizations. Leveraging third-party partnerships to provide independent audits that validate controls and compliance across several different areas can make for a rock-solid operation. These include technical vulnerability assessments, penetration tests, gap assessments and more.

Beyond the proactive elements and measures to be prepared for the unexpected, some reactive processes must also be in place. Formal response and recovery plans must be established to ensure a company can respond and resolve issues quickly and efficiently, in the event they occur. Such contingency plans must be periodically updated to accommodate changes to the landscape and new challenges that may arise.

The definitions for security and compliance haven’t changed for B2B payments, but the wisdom behind strengthening both functions continues to come into focus. The myriad best practices outlined for commercial payments can mean very little without that wisdom being applied – and making this a priority starts at the top. The B2B payments companies that will fare best as they navigate security and compliance are those that feature senior leadership teams prioritizing and investing in strengthening these functions. In essence, the human factors in the equation may wind up being the most important at the end of the day – administering the maintenance and advancement of security and compliance operations all the way from positions of leadership to positions of direct support. For B2B payments companies interested in avoiding future pitfalls in security or compliance, the time to embrace a human-driven, ever-evolving approach is now.

Related reading