When discussing the security of corporate cards and payments, the focus often lies on what the company and cardholder can do to minimise the risk of fraud. Equally important is ensuring that the payment provider meets its security commitments.
"The internal systems and routines of a payment provider are crucial to the security of corporate cards," says Thomas Eriksson, Chief Information Security Officer at AirPlus.
He explains that today's corporate cards are generally very secure, largely due to the ongoing digitalisation in society.
"Digital payment methods have indeed introduced new types of fraud, such as phishing, but they have also led most banks and financial institutions to be more proactive when it comes to securing their processes and systems.”
John Mossblad, a fraud analyst at AirPlus, agrees and adds:
"The EU's Second Payment Services Directive, PSD2, which was introduced a few years ago and includes the requirement for strong customer authentication for card payments, has also been very important in the fight against financial crime," he says.
The procedures and systems used by different payment providers can vary. So, what can you as a company do to determine whether a payment provider meets your security requirements?
John and Thomas suggest asking the following four "control questions", where the first question is essential and the rest are more supplementary, depending on how thorough an examination of the supplier you wish to conduct.
Are you ISO IEC 27001:2022 - or PCI DSS certified?
“One of these two certifications should be a basic requirement for a payment provider. ISO/IEC 27001:2022 is an international standard and framework for how organisations should manage information and data. The standard helps organisations identify risks and manage them in a structured and effective manner. To maintain the certificate, annual follow-up audits, both internal and external, are required.”
“PCI DSS (Payment Card Industry Data Security Standard) is a security standard ensuring that companies accepting, processing, storing or transmitting credit card information have a secure IT environment with secure processes. To maintain PCI DSS certification, regular security assessments and audits by external PCI auditors are required.”
How do you protect our transactions?
“The way a payment provider follows customer transactions can vary significantly. It is important that monitoring occurs in real-time, around the clock, regardless of where the payment takes occurs. What systems are used, and how much of the work is done manually versus automatically? A mix of both approaches is beneficial, with one complementing the other. What types of behaviours are monitored, and what is the procedure if unusual behaviour is detected in a transaction?”
How robust are your systems?
“It is also important to understand how resilient the payment provider's own systems are to, for example, a cyberattack. Do they regularly update and test their systems, and what procedures and processes are in place to quickly get started after a potential disruption? Also ask them to describe how they proactively work to prevent these types of attacks.”
How do you work with partners?
“Most payment providers collaborate with subcontractors in some form. This means that there is another party with access to your transaction data, for example. So you should find out which partners the payment provider collaborates with and how they protect information and services related to these partnerships. Also, ask them to explain how they follow up on and ensure that partners comply with the delivery agreements.”
