In my earlier post around security we hovered around payment security aspects and the importance of security standards like PCI DSS to your payment systems. We can now look into the specific challenge of product selection, if you are a CIO/CTO looking to upgrade or implement a new solution to meet your business needs then security and associated certification should be a critical parameter during your product evaluation and selection process.
So how does one go about making a decision on product selection while ensuring the integrity of your payment ecosystem?
Assuming you have already made your build or buy decision and chosen to buy and are now discovering the right product, what happens now?
Off the shelf products that are already security certified (for e.g PA DSS) is a good way to start your discovery process. Let’s say you are looking for a card management or mobile payment system that would work in real time to authorize and process transactions; or even a reconciliation system that would take end of day feeds and process reports, they are all bound to hook into various parts of your existing payment ecosystem.So how does one go about the process?
While I cannot unravel all the parameters I would like to touch upon a couple of critical ones.
“Product fitment” – Ideally the product selected should fit all of the mandatory business requirements of your target system, i.e minimum gap to bridge before go to market else you risk spending time and money bridging between the product and your business requirements resulting in auditing and re-certification of end product. The key is to ensure that you follow specific security accreditation guidelines, e.g. if you are looking to have a PA-DSS certified product then you need to ensure that as part of your evaluation the delta customization that you would make on the solution does not change the core of the product, and that whatever change you build on the core can be swiftly certified.
Another important point to note is “Architecture” of the target system. Over the last decade a lot of ground work has been done in putting together loosely coupled frameworks that help modularize the product construction and solution building, providing quick to market capabilities to the business. This essentially means that the core of these new age systems tend to have a lean foot print providing for interfaces and handlers to be put together using SDKs (all getting a bit technical now!). Simply put, you need to review the architecture of the selected system and how it stacks up against certification guidelines that you are aiming for.
The solution is in performing a thorough due diligence during vendor and product selection, it is no longer just about technology and cost but about creating a “secure payment ecosystem”. This calls for putting together organization specific diligence frameworks & product selection process that takes into account measures of security & regulatory requirements. This should help avoid unnecessary heart breaks and not mention cost escalations.