If you’re thinking of adding payment functionality to your software solution, you’ll definitely want to get familiar with these six phrases. Why? Because with Sphere they could be a part of your daily payment experience.

Independent Software Vendors (ISVs) can embed Sphere credit card processing capabilities within their applications, allowing clients to take customer payments in one seamless process. If you’ve ever considered payments, you’ll quickly realize there’s a whole new language to learn and set of acronyms. To get the most out of your partner search, let’s take a look at these six phrases you’ll want to associate with your payment functionality.

Payment Gateway

Think of the payment gateway as a piece of a more complex and robust payment solution. A payment gateway doesn’t just let you accept electronic payment types such as credit cards, debit cards, and ACH/electronic check payments—it’s much more than that. Sphere’s payment gateway gives your company a compliant and brandable experience customized by you. They’re your customers after all, so they should experience your brand from beginning to end, not a cookie-cutter checkout experience.

Merchant Services

No matter the size of businesses you serve, chances are you’re still looking for the essentials: competitive rates on credit card processing, compatibility with a multitude of payment devices, and white glove, friendly service. That is automatic with Sphere. We aim to be a single source for all your current payment needs with room to grow in the future.

PCI Compliance

Security and trust are important aspects of a business relationship. That’s why Payment Card Industry Standard (PCI) compliance is essential, especially when data breaches are reaching the news on almost a daily basis. Know that your customer’s information is handled safely and securely with Sphere. Our solutions are PCI compliant (and then some) and help reduce your scope.

Validated Point to Point Encryption (VP2PE)

Remember the “and then some” we mentioned before? This is it. Sphere is the leading provider of secure electronic payment acceptance and risk management solutions which is why we offer validated point to point encryption (P2PE), Powered by TrustCommerce. That means your customer’s sensitive data stays safe, even in its encrypted state. With P2PE, your customer’s confidential information will be indecipherable to third parties.

EMV

Affectionately called “the card with the chip thingie” by customers, Europay, Mastercard and Visa (EMV) is the new standard for smart cards. EMV adds an extra layer of protection for customers and is quickly becoming the preferred method of payment for many, becoming synonymous with “fraud protection.”

Hosted Payment Page

Having a hosted payment page means that you don’t have to take on additional liability customer’s data passing through your systems. Sphere will do that for you, and with our security features and complete branding continuity, you can be assured that your customers are using a secure e-commerce payment capture solution. This simple, yet sophisticated solution allows for text-to-pay, email, within app and online payment acceptance.

Wrap Up

Does your current payment integration offer the same functionality as Sphere? If not, it might be time to upgrade to a company with a record for being secure, innovative and customizable. See these six phrases in action with Sphere.

When it comes to choosing an integrated payment partner for your solution, there’s a lot to consider: do you go with a familiar company? Or, a fresh option? Ideally, you want something that’s perfect for your business, but often solutions are either more than you need (at an exorbitant price), or not enough.

More often than not, money tends to drive these decisions. But there are other things you should ask yourself before picking the right payment processing engine for your solution. Perhaps the most important question should be:

“What can your payment processing partner do for you?”

Your business deserves more than “adequate” service, and that’s where we come in. With decades of experience advancing technology and putting clients first, Sphere is the natural choice for credit card processing. With Sphere, you instantly connect your customers with the most comprehensive, secure, end-to-end payment processing solutions. Let’s take a look at the top three benefits of integrating payments with Sphere.

  1. Sphere Helps Drive Your Business Revenue

Shouldn’t your payment processing partner do more than just meet your immediate needs? Sphere does. We help drive your business, providing you with more than just a point-of-sale system—in step with you as you grow.

Our products and services have all the payment features you need today and tomorrow, including:

  • Virtual Terminal
  • Transaction Security
  • Open API
  • Data Storage
  • E-Commerce Payment Pages
  • Reporting and Reconciliation
  • Mobile Payment App
  • Automated Recurring Billing Acceptance

Our applications support all major payment types including:

  • Credit Cards
  • Debit Cards
  • PIN-less Debit
  • ACH/Electronic Check Payments
  • Purchase Card (Level II and Level III) Processing
  • And More

Our systems integrate seamlessly with your current software requirements and adapt as you grow. The same thing doesn’t work for everyone; that’s why we offer custom options that work for you.

The right partner can make a world of difference. And in this competitive market, you should only trust the very best. We are an expert in our field, and we can help your business generate more revenue through technology and credit card processing.

  1. Strong Technology That Adapts

Technology is evolving quickly, and your payment processing system needs to be ready to change. Remember before credit cards had chips and certain outdated POS systems required awkward workarounds to make transactions work? Experience is everything, and your business needs a payment processing engine that’s future-proof.

Whether your software accepts payments through a single channel or many — Sphere can adapt to your business. With multiple integration options, and APIs in a variety of languages, it’s easy to get started.

There’s a growing need for a platform that can support more than just “basic” payment support. At Sphere, we understand the importance of flexibility. Businesses need integration that’s quick and efficient to support the way you do business today, as well as in the future. With our frictionless merchant application for credit card processing, we make it easy for your customers to sign up. To us, you’re a priority. We provide payment support that won’t slow you down.

  1. Manage Your Risk

Risk is never fun to talk about (and it’s even less fun to experience). Trust is an integral part of business, and a reputation of being secure and reliable is a necessity. Sphere helps you manage your risk by securing your data. We offer multiple methods to protect payments, including: validated point to point encryption, tokenization and hosted payment pages.

Get comprehensive risk management and security that allows you to defer much of the cost, risk and threat involved with handling cardholder information.

Wrap Up

Payments shouldn’t be a hassle, nor should getting the support you need to resolve any issues that may arise. That’s why integrated software vendors who are specialists in these and other industries partner with us:

  • Healthcare applications
  • E-commerce & Shopping Cart Developers
  • Membership management software
  • Bar and restaurant applications
  • Software Vendors

It’s time to take the complexity out of integrating payments. Accept payments your way with Sphere. Our payment processing solutions are designed for ease of integration with third-party software. Speak with the Partner team today.

By Heather Mark, Ph.D., CCEP, Director, Compliance & Security

Independent Software Vendors (ISVs) can leverage payments as a way to provide a more comprehensive suite of services to their customers and doing so also provides revenue opportunities.  But with that comes some responsibilities that are unique to payments, such as compliance with the Card Brand regulations.  Understanding those responsibilities, and the role that ISVs can play in maintaining the security and soundness of the payments ecosystem, can help ensure a strong, long-lasting, and mutually beneficial payments partnership.

So are ISVs expected to become payments experts?   Not at all. Choose your partner wisely and they can help you navigate payments, leaving you to the stuff you do best.  That said, there are a few things ISVs can do to demonstrate that they take seriously the compliance and liability aspect of the payments space.  Why would you want to do that? Because it’s the right thing to do for your customers, partners, and your business.

First, know your customers.  Payments partners, whether a payment facilitator or an acquiring bank, will want to understand the full business opportunity.  That means the risk as well as the reward.  What does your average customer look like?  Do you have a specific vertical to which you cater?  In that vertical, what are the risk trends (e.g., if you provide a platform to sell luxury goods on a peer to peer basis, what is the percentage of counterfeit goods that are sold, or attempted to be sold, on your platform?).  Any controls that are in place to monitor and potentially mitigate these known risks should be well-documented. Is your customer base subject to seasonality? Knowing that can help in monitoring for anomalous, suspicious behaviors. This type of information allows payment partners to garner a more complete understanding of the potential risk profile of the merchants being onboarded to their system.

Secondly, document your practices and policies.  You may not need to have robust anti-money laundering policies, but you will need to have an information security policy.  You may also need to address behaviors or practices that are prohibited or restricted on your platform, and how you monitor for those activities.  These documents don’t need to be huge volumes that address every contingency, but they should be commensurate with the size and complexity of your organization.  It should also account for whether or not your platform handles toxic data (data that would damage your company or your customers if its leaks, like personally identifiable information).  One side note: there are multiple places online that allow companies to download policy templates.  These are good tools and allow companies that may be new to policy development to have a jumping off point, but that’s all they are – a jumping off point.  Make sure to customize these templates so that they make sense for your organization.

Finally, know the regulations that impact your vertical.  If you provide billing software for healthcare, you should be familiar with HIPAA/HITECH and the impact that those regulations have on your business.  While your payment partner may be very familiar with those regulations, you should be the expert on how those regulations impact your business.  Perhaps there are nuances that you can share with your payment partner that can improve your experience with them and they can better support your compliance initiatives.

One of the things that most new entrants into the payments world lose sight of is that compliance doesn’t simply mean compliance with regulation.  It also means compliance with the Card Brand Rules, sometimes referred to as the OpRegs.  The Card Brands have complex standards that they expect all members of the payment ecosystem to uphold.  This includes things like preventing people from misusing the payments systems through fraudulent or illegal transactions, laundering funds, counterfeiting goods or services, or processing transactions in a way that is non-compliant (for example, charging a convenience fee on a face to face, or card present, transaction.)  Merchants and service providers alike are expected to comply with these rules and to prevent their systems, platforms, or channels from being used to circumvent those rules.

And, don’t forget about PCI DSS…Speaking of compliance, you will need to understand the Payment Card Industry Data Security Standard (PCI DSS).  This standard is required of all entities that store, process, or transmit cardholder data.  The PCI DSS sets a minimum standard of security controls around payment card data. All merchants must comply with the standard and validate compliance, irrespective of their interaction with cardholder data.  The way in which they validate will vary according to how they accept payments and the volume of payments that they accept.  Service Providers, the category into which most ISVs will fall, may have to validate compliance, depending upon how they interact with the cardholder data. It is important to know that the acquiring bank is the ultimate arbiter of who must comply and how.  If an ISV is determined to be a service provider, it must validate with either an onsite assessment by a Qualified Security Assessor (QSA) or by completing the Self-Assessment Questionnaire D-Service Provider. (Note: this paragraph is an exceptionally brief discussion of the PCI DSS and by no means covers all of its nuance.  For more information, visit www.pcisecuritystandards.org).  The short story here is that, compliance with the PCI DSS helps elevate security in the industry at large, and mitigates the risk to you and your customers.

Adding payments to your software application doesn’t have to be intimidating or overwhelming from a compliance perspective. Choose your payment vendor carefully and they can do the heavy lifting. Make sure you understand the role that ISVs can play in maintaining the security of the payments ecosystem and your compliance footprint.

Interested in partnering? Contact Us

By Dr. Heather Mark

The healthcare industry is, as most know, a heavily regulated industry. Government regulations detail how data is to be collected, shared, and protected.  It details how patients can access their data.  The way that research is conducted, how it is reported and a multitude of other factors.  Layering in the protection of payment card data can seem overwhelming.  Particularly given the size and complexity of health care networks – physicians’ offices, laboratories, hospitals, and clinics.  Fold in a sprinkling of online bill pay, as well, and one can see how the prospect of complying with the PCI DSS, as well as other regulatory mandates, can be overwhelming.  But PCI DSS compliance can be made more manageable by employing scope reduction strategies.

First things first, though.  What is scope reduction?  To understand this, one must understand what is defined as the Cardholder Data Environment, or CDE.  The CDE is defined by the Payment Card Industry Security Standards Council (PCI SSC) as the “people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data.  ‘System Components’ include network devices, servers, computing devices, and applications… [and] any other component or device located within or connected to the CDE.”  So, the scope of the CDE is any device or person that has access to cardholder data and any device connected to that component.  For many organizations, in healthcare and beyond, that scope can seem fairly daunting.  The objective of scope reduction is to minimize the number of components that come into contact with the cardholder data.  By reducing the number of components that contact cardholder data, an organization can reduce its scope. This serves the purpose of reducing the complexity of the CDE, the cost and complexity of the PCI DSS assessment, and the work factor involved in maintaining compliance.

So, how can an organization reduce their scope?  The first step is to know where and how payments are accepted.  Questions that can help in that process include:

  1. Where does your health system physically accept electronic payments?
  • Registration
  • Front Desk
  • Call Center
  • Pharmacy
  • Parking
  • Radiology
  • Emergency Room
  • Gift Shop
  1. How do you accept payments in these locations?
  • In Person
  • Online
  • Kiosk
  • Mobile
  • IVR
  • EHR Software
  • Other
  1. Does your EHR system offer a secure payment integration?
  • Yes
  • No
  1. Does your payment integration support?
  • Tokenization
  • Validated Point to Point Encryption
  • Hosted Payment Page for secure online transactions
  • Secure recurring billing and installment payments

It is also important to determine whether or not you have appropriately segmented your CDE to prevent bringing your entire organization into scope.  In other words, if your payment environment is connected to your corporate environment, without firewalls, routers or other appropriate measures in place to act as a DMZ, you could end up having to manage PCI compliance for every part of your network. Per the PCI DSS, “Without adequate network segmentation (sometimes called a “flat network”) the entire network is in scope of the PCI DSS assessment. Network segmentation can be achieved through a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists, or other technologies that restrict access to a particular segment of a network. To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE, such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.”

Another strategy that can be employed to reduce the scope of the CDE is to reduce the number of cardholder data touchpoints in the environment.  The more the input of cardholder data can be reduced, the greater the level of scope reduction.  Any number of solutions can be employed, but here is a brief description of the most effective means* of reducing interaction with cardholder data:

  • Hosted Payment Pages – merchants can accept payments through the use of a hosted payment page. The Payment Page is hosted by a PCI DSS validated, registered service provider.  The payment information posts directly from the consumer to the service provider, bypassing the environment of the healthcare provider.
  • Tokenization – in this solution, the payment information is replaced with a randomly generated value that used to represent the payment mechanism. The healthcare provider can still use that token to process subsequent payments, as may be useful for patients on payment plans, reporting purposes, patient payment analysis, and chargeback or dispute purposes.  The benefit here is the reduced payment data footprint within the organization.
  • PCI Validated Point to Point Encryption (P2PE) – a P2PE solution is one in which the cardholder data is encrypted from the point of interaction (swipe, dip, entry) all the way through the processor. The payment is processed, but when the authorization response is sent to the healthcare organization, the payment data is replaced with a token.

As technology continues to evolve and healthcare organizations find new ways to connect with and serve their patients and communities, it is important to remain mindful of the potential risks that those new technologies may present.  By implementing the above solutions, healthcare providers may find a strong balance between patient service and data security.

*The amount of scope reduction benefit for each of these solutions can vary depending upon the specific environment and the way in which they are implemented.  It is highly suggested that all organizations consult with their Qualified Security Assessor (QSA) and/or their Acquiring Bank to determine the exact nature of the benefit afforded by these solutions.

By Dr. Heather Mark

On March 19, 2019, well-known and respected security researcher and reporter Brian Krebs, posted an article with the headline, “FaceBook Stored Hundreds of Millions of User Passwords in Plain Text for Years.”  The article states, “According to Krebs, “The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees.” With that in mind, think about how many accounts you have linked to Facebook.

The news is a constant parade of security breaches in which user names and passwords are compromised.  It is easy for people to become numb to that, or to think that it’s “only” a username and password, not financial data. But how many of us use the same password, or a close variation, for several of our accounts, including our work passwords?  Take a look at this list of security breaches, and think about how many of those impact you, and how many times you recycled passwords for those accounts.

Though it can be convenient, reusing passwords does put you at risk for further compromise.  As criminals have become more sophisticated, they’ve taken to aggregating data collected from various breaches and extrapolating it to compromise accounts that you might not even know were in danger.  Do you use the same password for social media as you do for your bank account?  You might not be concerned if your social media password was compromised, but what if the hacker were able to discern your bank or financial institution?  Have you ever posted a complaint or comment about your bank? Do you check into your office on social media?

We’ve all read the stories about people using “password 123” or “changeme!” for their passwords.  Not only are those easy to crack, but they’re painfully ubiquitous.  Here are some quick, easy tips for creating a strong password:

  • Use phrases – think about a line from a favorite book, movie or song. Sometimes, that can actually be easier to remember and it’s inherently more complex.  Particularly if it uses punctuation.
  • Use “special” characters – When we think of “special” characters, we tend to default to the “!” or the “*”. They’re easy to remember.  But the poor semi-colon (“;”) is woefully underused.  As is ampersand (“&”) and the tilde (“~”).  Think creatively about which special characters you’re using in your password and how you’re using them.  For example, you can combine special characters to make emoticons.
  • Mix up numbers and letters – a creative mix of numbers and letters can make a password more difficult to guess. Try not to make obvious substitutions, such as using a ‘”3” instead of an “e”.
  • Use capital and lowercase letters – mix up your use of capital and lower case letters. You don’t have to follow grammatical conventions when creating strong passwords.  You don’t have to start a name with a capital letter.

Another important reminder is to change your password regularly.  It can be easy to forget that, particularly in the age of biometric authentication.  One trick that I use is to set a calendar reminder to change my passwords.  You can choose every 30, 60, or 90 days, but it’s best not to go past the 90 day mark.

It can be hassle to come up with and remember new passwords every 90 days, but using new, unique passwords is an important tool to protect yourself and your business. It pays to be smart!

Is PCI DSS Compliance Enough?

By Dr. Heather Mark

In the wake of yet another massive data breach, media outlets around the world are asking a lot of questions.  More questions, it seems, than are the victims of the data breach.  People seem to have become numb to loss of sensitive data.  But while individuals seem to carry on as though nothing has changed, businesses need to be cognizant of the consequences of data breach, beyond simply the penalties associated with a violation of the PCI DSS.  The consequences of data breach can be swift and severe.  In fact, a class action suit has already been filed against Marriott stating that the breach should have been detected four years ago.  Further, companies that fall victim to hackers can expect to play host to government regulators, state attorney generals, forensic investigators and other third parties for a significant length of time. So what is a company to do to protect its data?

I once had a self-proclaimed “grey hat hacker” tell me, “your company has to find and fix every single hole in the environment.  I just need to find one.  And I’ll spend 24/7 to do it.”  That demonstrates the reality that data security in the online world, our world, can be a tremendous task.  However, as with all types of crime, there are methods that can be employed to increase the work factor for criminals in compromising your environment and to make your business a hard, or at least a harder, target.  Those criminals looking for just an “opportunity” may determine that there are easier targets and move on.

The most obvious step to be taken is compliance with the PCI DSS. The Standard has been in place since 2006 and serves as an excellent baseline of security.  All companies that store, process, or transmit cardholder data (or can otherwise impact the security of the transaction) must comply with the Standard.   Though compliance must be validated once a year, it is important to maintain compliance throughout the year through the implementation of a robust compliance monitoring program. It will require ongoing management to ensure that a company doesn’t inadvertently fall out of compliance without taking a corrective action.  Further, failing to comply can result in financial penalties. It’s important to note, though, that PCI DSS only applies to credit and debit card numbers.  Its scope does not include any other form of potentially sensitive information.

As we’ve seen from countless headlines, data breaches don’t just involve payment card numbers.  They often include data such as email addresses, usernames, passwords, physical addresses, social security numbers and other similarly sensitive data that aren’t contemplated by the PCI DSS.  What should companies do then?  Well, the PCI DSS still serves as a useful launching pad.  But before determining how far to extend those protections and controls enumerated in that standard, it helps to conduct and exercise known as a data inventory.

Simply put, a data inventory is an exercise in which each functional area of the company examines the data that it uses and why, how it’s collected, stored and shared, and how the data is destroyed or disposed of when it’s no longer needed.  These exercises can be eye-opening and are extremely useful.  It is not uncommon to unearth data collection or use practices that were not widely known in the organization.  These data knowledge gaps can lead to critical holes in the control environment, exposing companies to risks of which there were not even aware.  More importantly, it can help organizations make informed, risk-based decisions about the type of information that it collects (i.e. do we, as an organization, need to collect this data element to fulfill our business objectives?  If so, what types of protections must we afford that data?  Is it ultimately worth the investment?) Once the data inventory is complete, you may find it helpful to see how or if it is feasible to extend PCI DSS controls that are already in place to cover these additional data elements and the larger data environment.

Further, it may be discovered during this inventory, that the organization may have additional regulatory obligations as a result of the data it collects.  For example, is the company storing data related to healthcare, education, or financial accounts?  Doing the inventory can assist and support the organization in its regulatory risk assessment.  Proactively identifying potential compliance gaps is always better than having such gaps identified by auditors, regulators, or clients. If these additional regulatory obligations are discovered, it can be helpful to map controls between those PCI requirements that the organization is meeting to the newly identified regulatory requirements.  There will still be gaps to be addressed, but by extending the PCI DSS control environment, organizations may be able to significantly reduce the cost of expanding those protections to other forms of data and other data environments.

Granted, the discussion presented here is more nuanced and robust than the constraints of a blog post may allow, but it does provide us all food for thought.  If the only data that is possessed by an organization is payment card data, then perhaps PCI DSS compliance is sufficient protection.  However, such an organization, to use the popular language of the day, is something of a unicorn.  Most organizations host a wide variety of data – data that is regulated and data that a company may simply want to protect, such as proprietary code, formulas, or business plans.  For those organizations, compliance with PCI DSS is just the tip of the iceberg.  I’ll leave you with this direct quote from the PCI DSS v 3.2.1: “PCI DSS comprises a minimum set of requirements for protecting account data, and may be enhanced by additional controls and practices to further mitigate risks, as well as local, regional and sector laws and regulations. Additionally, legislation or regulatory requirements may require specific protection of personal information or other data elements (for example, cardholder name). PCI DSS does not supersede local or regional laws, government regulations, or other legal requirements.”

By Dr. Heather Mark, CCEP

Aristotle wrote that ethics is the habituation of right action.  Essentially, we don’t know what’s right out of the starting gate.  The virtue of ethical behavior is one that we acquire through example and guidelines.  We become ethical, or as Aristotle would have it, virtuous, through practice.  The more we practice right action, the more innate it seems to become.  It’s not an inherent knowledge, it’s a learned trait.  This discussion from Aristotle’s classic work Nicomachean Ethics is a great description of the important interrelatedness of compliance and ethics, particularly in the Payments industry.

The payments industry is highly complex and highly regulated.  It’s unlikely that a person new to the industry would walk in and be able to identify right from wrong, speaking in regulatory sense.  The lattice of regulation created by the card brand rules, state and local laws, as well as federal regulation, and potentially international laws, can cause confusion even among well-entrenched payments professionals.  If you were to overlay that with the development of new business models, such as payment facilitators and marketplaces, the landscape quickly becomes treacherous.  This is where a robust Compliance[1] and Ethics program comes into play.

As Aristotle says, a good government will attempt to legislate virtuous behavior to help its citizens learn to act “virtuously.”  Eventually, its citizens learn to extrapolate that virtuous behavior beyond those circumstances contemplated by law, and simply behave in a “right” manner.  Leaving behind for the moment arguments about legislating morality, let’s focus on the notion that laws act as a guideline for behavior in the absence of an inherent understanding.  The compliance program acts as that guideline for the uninitiated.  Without long experience or an inherent understanding of the potential pitfalls of non-compliance in the payments space, the compliance program acts as the framework for what’s right and wrong, in a regulatory context.

Virtue, or to use the word that is more familiar to us, ethics is, according to Aristotle, what makes something perform well.  So it follow suit then, that an ethical company would perform well. It’s in the best interest of the company, then, to ensure that its team members are inclined to act in a way that is ethical.  That means enabling merchant, service providers, and partners to conduct their business in a way that complies card brand rules. That also means recognizing that simply because we can do something, it doesn’t mean we should.  We’ve seen this play out in the rise of Fintech.

Fintech is an exciting wave of innovation that has been transforming the payments space over the course of the last ten years.  Agile, creative companies have been developing new ways for merchants to engage with their customers.  Things that we already take for granted, such depositing paper checks from our phones, or paying our friends back for lunch through text messages, are just some of the examples of the innovations borne of the Fintech revolution.  But there were some downsides to that rush to the payments space, too.  While the vast majority of new Fintech players took the time to learn the payments space, to understand the regulatory environment, and to play according to those rules, there were a few players that saw an opportunity to cash in on the changing industry.  Software developers without an understanding of the complexities of the space made decisions, which in retrospect, were not founded on a complete understanding of the risk involved, or of the impact it might have on the end user. With a robust and mature compliance program in place, it’s possible that those companies may have avoided those missteps.

In organizations with a mature program in place, compliance is “business as usual,” baked into product development.  The compliance team scopes out potential regulatory roadblocks so that the product and development teams can design with those regulatory requirements in mind.  Additionally, it serves as a learning opportunity, as those teams begin to acclimate to the regulatory environment in which they operate.  They incorporate those requirements as they evolve that product set or the feature set for particular verticals.  They learn the questions to ask when a new project comes along.  The regulatory requirements become just a fact of life, doing things the right way.  In Aristotle’s words, they become habituated to it.  Compliance serves as the touchstone on which companies and organizations can build an ethical culture.

Ethics, then, derives from the repeated practice of doing the right thing, such that when a specific guideline doesn’t exist, one can still determine the right course of action. Eventually, Aristotle says, people will reach a state in which they do the right thing because it is the right thing, not because the law mandates it.  Ethics programs are natural extensions of compliance programs, as companies should empower their staff and contractors to do the right thing, even when it’s difficult. Ethics programs are designed to allow employees to report, without fear of retribution, actions that they genuinely feel violate the organization’s Code of Conduct or Compliance policies.

The importance of having an ethical culture can’t be overstated.  It is what keeps employees invested in the organization and what maintains relationships with clients and partners.  As a side benefit, it helps companies to avoid potential violations of regulatory mandates.  Those violations can result in monetary fines and penalties, compensation to affected parties, and government oversight.  Ethical and compliance violations also lead to lost revenue as a result of reputational damage.  Clients and prospective clients will be reluctant to sign a contract with a company with a demonstrable track record of ethical issues.

What does all this mean to the payments industry?  The industry is predicated on what can be a quickly shifting foundation of the intersection of technology and regulation. Maintaining an operational understanding of the relationship between the two is a vital requirement in any partner or service provider in the industry.   That means that companies that aren’t willing or able to make an investment in maturing their Compliance and Ethics programs are at a competitive disadvantage.  Between card brand regulations, state laws on money transmission, data security and privacy, and federal laws, it quickly becomes imperative for companies to choose a service provider that can help them navigate the compliance landscape, while staying on the forefront of payment technology.  It’s a delicate balance.  What’s more, it’s important to work with a company that can practice some foresight with respect to the potential impact of forthcoming legislation.  Again, this is something that ethics can help accomplish – often doing what’s right to start with can help head off potential issues with future legislation.  An example can be found in the use of mobile payment applications.

Installing an application on a mobile device can provide the software manufacturer with a wealth of information – contacts, geolocation, app and device usage.  All of this data is incredibly useful for marketing purposes, but collecting that data without the express consent of the end-user is problematic, to put it mildly. A number of mobile payment providers were collecting this information and using “big data analytics” and sharing it with third parties.  In fact, that practice led to a number of Congressional hearings on the matter.  This is why users now have the option to turn off location services and apps now disclose what they track.  This same issue is still playing out in the Cambridge Analytics issue with Facebook.  These issues could have been avoided with the adoption of a mindset that says, “Just because we have the technology to do something, that doesn’t mean that we should do it.”  This, again, derives from ethical culture and transparency to both end-users and partners.

Sphere is dedicated to the proposition that a payments company cannot be successful without a strong Compliance and Ethics program.  Since its inception, Sphere recognized the unique position and responsibility that it has to maintain an environment that fosters ethical behavior.  To do so, it is necessary to develop and maintain a Compliance program that serves, not just Sphere, but its clients and partners, as well.  At the end of the day, developing such a program is just another way that we serve our clients.

[1] For the purposes of this discussion, I include security requirements in the compliance discussion.

Event Schedule 2019

The Sphere teams will be exhibiting at a variety of payments and industry events. Come visit us! We have exciting news to share about our products and services.

 

 

 

 

HIMSS19

February 11-15 | Orlando

Visit us at Booth #2679

GE WRUG

February 14-15 | Las Vegas

Collaboration of Revenue Cycle Epic Users (CORE) West

February 27-March 3 | Las Vegas

ACN International Training Event

March 9-11 | Sydney

ACN International Training Event

March 29-31 | Charlotte, NC

Collaboration of Revenue Cycle Epic Users (CORE) East

April 10-12 | Pittsburgh

OCHIN Learning Forum

April 16-18 | Portland

Dr. Heather Mark, CCEP

In May of this year, South Carolina became the first state to officially adopt the National Association of Insurance Commissioners (NAIC)’s Model Law on CyberSecurity.  While the law is a first in that it’s specific to the insurance industry, many organizations that have already adopted controls for SOX, PCI DSS, and HIPAA, to name few, may find its implementation less onerous that it might appear at first glance. As the deadline for implementation (January 1, 2019[i]).fast approaches, it is worth looking at the requirements of the Model Law and the impact the Law will have on the industry as a whole.

The Act requires persons licensed to operate under the insurance laws of the state to enact a minimum level of data security controls be implemented to protect non-public information.  Interestingly the law takes a broader definition of non-public information than may state data security or data breach notification laws. For the purposes of this law, not only is the personal information of the consumer to be protected, but the law also specifically calls for protection for “business-related information of a licensee the tampering with which[sic], or unauthorized disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the licensee.”  It is unusual in data protection or data privacy law to see a requirement to protect the information of businesses, but in this instance, it is an obvious broadening of protections.  Licensees may in fact be individual agents, so the protection of their information is akin to the protection of employee information, such as those protections included in California’s Consumer Privacy Act.  (As a side note, a wonderful analysis of the CCPA is available on the International Association of Privacy Professionals website).

As I stated, those organizations that already have experience with SOX, PCI DSS, or HIPPA may recognize quite of few of the requirements of the South Carolina Insurance Data Security Act.  Many of the elements are considered by security professionals to be “table stakes,” minimum requirements for doing business securely in today’s environment.  These controls include:

  • A risk assessment;
  • A written information security policy that is commensurate with the size and complexity of the licensee’s organization and is based on the risk assessment;
  • One or more employees that are designated as being responsible for the licensee’s information security program;
  • A vendor management program;
  • An Incident Response Plan, which includes a data breach notification process; and
  • An annual attestation submitted to the Director of the Department of Insurance.

What’s interesting to note here, and is a position that I’ll often profess, is that in many cases compliance can be a byproduct of good Governance, Risk, and Compliance (GRC) programs.  Companies that are well-versed in GRC and information security may already have these measures in place, irrespective of any regulatory obligation to do so.  Those organizations are well-positioned when a state then adopts new security rules.  In those cases, the organization may be required to make some changes to its processes, but may avoid the total overhaul that a company less familiar with GRC practices may find themselves undertaking.

The South Carolina law is very similar to the New York Data Security Act, which was passed in 2015. In addition, as alluded to in the introductory paragraph, the law is essentially an adoption by South Carolina of the NAIC’s Model Law.  NAIC is actively encouraging states to adopt the laws and has even “recommended that Congress should consider preempting the states if it is not adopted in 5 years.”  More information can be found on the Model Law at NAIC’s website.   Over the coming years, it will be interesting to observe the trend at the state level in terms of adoption of the Model Law.  This  might just prove to be a good time for a forward-thinking compliance officer to begin crafting a program to incorporate some of the clauses in the Model Law.

[i] The state has enacted an extended deadline for portions of the law.  These deadlines are:
July 1, 2019 for Section 39-99-20
July 1, 2020 for Section 39-99-20(f)