Managing Payment CardsBy Samuel Greengard | Posted 2011-09-30 Email Print
Governance, risk management and compliance are increasingly woven into all aspects of business, so it’s vital for management to understand the complexities involved in this issue.
Managing Payment Cards
Another company that has embraced GRC in a major way is CardSmith, a provider of electronic payment and transaction processing solutions used primarily by colleges and universities. The firm manages cashless payment cards for nearly 150 schools. Students rely on the cards to purchase meals, supplies and other campus goods.
“Parents transfer money into the account as necessary,” says Taran Lent, vice president of product management and development for CardSmith. “So it’s essential to have the highest level of trust in the system.”
The payment cards—in many cases multiuse smartcards that also provide access control for dorms and other areas—require tight oversight and adherence to a number of regulatory and compliance issues, including PCI DSS, Gramm-Leach-Bliley, the Patriot Act and the Credit Card Accountability, Responsibility and Disclosure (CARD) Act of 2009.
As a result, CardSmith turned to NeoSpire, a hosted security solution that provides a variety of protections and reporting tools that meet the PCI Council’s Data Security Standard. The system handles host intrusion detection, vulnerability management, monitoring and testing, and PCI DSS security scanning.
“It is critical to protect cardholder data,” Lent says. “There is a huge monitoring component to the business. Systems and processes must be in place to handle all the requirements.”
In addition, CardSmith places a premium on securing computers, point-of-sale terminals and mobile payment terminals—as well using encryption and protecting logs from tampering. For example, the NeoSpire system maintains snapshots of logs, which are written and recorded in real time. “They cannot be altered, and there’s a centralized management capability,” Lent notes.
CardSmith also controls and manages data flowing out to smartphones, tablet devices and other mobile tools. Students check their account balances using these devices. All the while, data travels across wireless networks in an encrypted state.
“We require all information that’s sent to CardSmith to be encrypted,” Lent says. “We are working to stay on the leading edge of security.”
Among other things, this means pushing for tamper-proof terminals at universities and health care providers and the use of tokens as a substitute for sending actual card numbers. The result? “We see very little fraud, and we’ve been able to achieve extremely high levels of compliance,” he says.
GRC is a maze of regulations that keep getting more complex. Juniper Research’s Bhas points out that mobile transactions present a growing challenge. A recent study conducted by the consulting firm found that only 4 percent of smartphones and tablets are currently protected with security software.
Enterprise policy compliance must focus on keeping all devices and systems protected and patches up to date, he notes. But it’s also crucial to prevent devices from running unauthorized applications and to block devices that fail a policy check. “Policy compliance needs to work regardless of the brand of the device,” he says.
Likewise, organizations must have a way to monitor and manage all types of communications, including IM, mobile texting, Skype and social media. Preventing unauthorized access to information and thwarting potential data leakage is paramount.
“An organization must make sure that it is capturing all the information and communication flowing in and out,” says ZeroPoint’s Ulsch. Ratcheting up the stakes is the interconnected nature of data and servers. Too many organizations lack tools to capture communications taking place through newer and nontraditional media.
An effective GRC framework finds ways to capture and establish ownership of information. It also cuts across multiple entities, including shareholders, stakeholders, investors and insurers. A high level of flexibility is important, and balancing productivity with protection is essential.
“If there’s a major breach, it not only raises regulatory and compliance issues—including possible penalties and fines—it erodes confidence in the institution and, over time, may lead to a loss of business,” Ulsch explains.