Finding the Right Partner in a Complex Payments Environment

Sep  27 
Brenda Magri  Director of Information Security, Biller Solutions, Fiserv 

Whether they touch a button, click a mouse or direct a few choice words toward Alexa, consumers today have an almost endless variety of ways to pay their bills.

More than ever, consumers are demanding speed, convenience and security. It has to be simple for consumers. For billing organizations, though, it's getting more and more complex, especially when you add new regulations, new channels and security to the mix.

Different industries have different payment regulations. And all channels – online, mobile, APIs, interactive voice, call centers, third parties and financial institutions – have multiple access points, each with different security standards. Billing organizations have to understand and manage the risks at all of those points.

But there's more.

Organizations also have to manage the regulations and risks at the back end of the payments system, where the entities that support the public-access points operate.

Building Partnerships

That time-consuming, high-risk responsibility has led many organizations to turn to partners for payments system management. Not long ago, forming those partnerships was relatively straightforward. There may have been five questions on a typical survey for providers.

But now there can be more than 400 questions on one of those surveys. It's just more critical than ever for organizations to understand exactly who they are doing business with.

So how do you vet payments partners to find the right partner in such a complex, evolving market? Here are five key considerations:

1. How well does the provider assess itself? 

People don't always consider these details, but it's important to ensure a third-party, impartial observer is auditing a provider's program. Some may do self-assessments, but that should raise red flags if it's a large provider with volumes of more than 25,000 payments per year.

Accountability is also crucial. If, for example, you're vetting a provider that is self-assessing for Payment Card Industry (PCI) compliance, but there isn't a company officer signing off on the report, you should pause and take a closer look. Any assessment should have accountability to senior officers.

2. How well does the provider understand the compliance requirements of your industry?

Health care, utility and telecommunications industries, to name a few, have different regulations and requirements. It's important your partner has experience in and understands your industry to help ensure delivery of a tailored solution that meets your needs.

It's easy to say, "I do bill pay." But if a provider doesn't know that, for example, regulations for some industries require reports when a system is down for two hours or more, you're going to have a breakdown in communication.

Beyond industry requirements, you want compliance with applicable regulations. For example, New York's Department of Financial Services created cybersecurity regulations in 2017 for organizations that process transactions for consumers in the state. It's just one instance of the growing number of regulations and further proof that your partner must have a complete grasp of the payments environment.

3. Does the provider have a depth of understanding and experience in security?

Meet with potential partners and pepper them with questions. Do they understand the security risks around what you do? Do they have a dedicated security team? Do they have a training program for that team? What certifications do the security people hold?

Look at their experience handling security incidents. What was their incident-management process?

The point is: Companies can say they're big on security, but you have to drill deeper to find out what that really means.

The people within your provder who are handling security should be comfortable with the complexity of the payments environment and be prepared to protect you, the consumers and all of the related data.

4. How expansive is the provider's security framework?

You're likely looking for an organization that has a holistic approach to compliance and security and a broad program that can meet PCI and other requirements, as applicable. You don't necessarily want a security framework built to only specific requirements.

The frameworks could be for PCI, the National Institute of Standards and Technology, the Health Information Trust Alliance or others, depending on the industry. Find out if the provider aligns to just one or multiple frameworks.

And make sure that when your potential partner conducts audits, whether internally or through a third party, it determines how well it aligns to the various frameworks.

5. How financially healthy is the provider?

It might seem obvious, but it's crucial to assess each provider's financial health. The stronger their financials, the more likely they are to withstand the fallout of a security incident.

The reality for some is that one security incident can wipe them out financially and leave you standing alone. Make sure they're financially viable, so if an incident occurs, they won't disappear.

Solving the Payments Riddle

The payments environment has become a complex tapestry of risk and regulatory oversight, and it's only going to get more complicated. There are so many different ways to pay a bill, and for each, there are endpoints, process points and transaction reporting with regulatory requirements around all of them.

On top of that, the bad guys keep getting better and faster. Two things occur as the number of channels rises: regulations increase, and attempts to break through security follow closely behind.

Billing organizations must be constantly vigilant. And that adds a layer of stress throughout a company.

Large organizations that have processed payments internally for years are deciding the stakes are getting too high. But finding the right partner is, in itself, a high-stakes process that requires due diligence, attention to detail and a clear strategy for success.