Data Security Essential for Electronic Payments

  • Written by Joshua Fluegel

With all the facets involved in the collection process, it’s essential for a consumer’s first contact with the electronic payment system to be inviting. Marc Chibnik, CEO of Harvard Collection Services, revealed the keys to having a system that is conducive to accepting electronic payments.

chibnik marc“Three items are top of mind: integration with system of record, data protection and consumer communication,” said Chibnik. “Integration with system of record covers how the agency will manage payment detail and requires the agency to plan if payments will be brought in to the system of record individually or by batch. Data protection is the process the agency will use to insure that cardholder or bank account information will be protected at the agency to meet security guidelines. Consumer communication is the method that will be employed to notify consumers that electronic payments are accepted and that the communications are done in a compliant manner.”

Proper security to accept payment information relies on the Payment Card Industry Data Security Standard.

“Here are some easy steps to follow to improve the security posture of your organization,” said Erica St. John, CPA, chief financial officer for CBE Companies.

Protect Data

“Keep the storage of sensitive data to a minimum and add additional controls, especially encryption, to prevent data access. Implement technologies to encrypt data at rest and data in transit. When encrypting, use strong and validated cryptographic keys and algorithms and ensure that the keys used for unencrypting the data are tightly controlled and protected.

Regularly Test Security Systems

st john erica“Data protection must be managed on an ongoing basis and built into your organization’s daily business operations. New vulnerabilities appear constantly which means you must always be attentive and routinely assess and remediate security threats to processes and systems. Use a risk-based approach to continuously identify and remediate threats in a timely and cost-effective manner.

“Auditors require evidence of how organizations are meeting the requirements of multiple regulatory mandates, industry standards and compliance frameworks. Maintaining a vigilant policy compliance program enables companies to reduce risk and continuously provide proof of compliance. Additionally, a policy compliance program helps identify and assess key security settings in your systems, which expose new security related issues and promote discussion for new or revised policies and procedures.

Train your People

“At the recent 2019 RSA Conference, a common theme was that security depends on people. More so than technology or policy, it’s the people in your organization who have the greatest influence on the success of maintaining an organization’s strong security posture. The threat is not always disgruntled workers and corporate spies. Often, it is the unwary, careless employee who can do harm to your network by visiting websites infected with malware, responding to phishing emails, storing their login information in an unsecured location, or even giving out sensitive information over the phone. One of the best ways to make sure employees will not make costly errors regarding information security is to institute company-wide security awareness training initiatives.”

While such a process is as ironclad as one can hope for, it is not one-size-fits-all. Collection professionals must determine what is applicable to them.

bedard john“The law does not treat all electronic payments the same way,” said John H. Bedard, Jr., managing attorney for Bedard Law Group, P.C. “Collectors accepting preauthorized electronic funds transfers should pay special attention to the consent requirements imposed by law on those transactions.”