Pci-Dss as a Baseline for Fintech Startups

The fintech market is growing at a rapid rate but at the same time, there are several challenges and risks they face because of their high dependence on technology. Security issues and data privacy is one of the top concerns that Fintech startups need to deal with both to gain the trust of businesses and consumers and to improve their own processes. A single data breach may lead to huge fines imposed from payment card issuers or lawsuits may be filed against them. This could damage a Fintech’s reputation and in the long run, reduce sales. With growing cyber security concerns, improving security posture becomes a necessity for a Fintech company.

Many organizations try to improve their security posture all creating their own frameworks instead of adopting a leading standard as a baseline. They end up reinventing the wheel and struggle to keep their compliance level. And, if they decide on using an industry-standard, they have difficulty in deciding on the right industry standard. With a myriad of industry-standard such as ISO 27001, SOC 2, FedRamp, Hitrust, CSA, PCI DSS and many others, choosing the right one which will suit their needs and cater to their specific requirements becomes a difficult decision to make. PCI DSS can be a good starting point and can serve as a baseline which can be used to improve your security posture.

ISO 27001 Vs SOC 2 Vs PCI-DSS

Let’s understand the key features of these standards to help you make an informed decision. ISO 27001 focuses on the development of an Information Security Management System (ISMS) which is a set of policies and procedures to help manage an organization’s sensitive data systematically. To ensure compliance, ISO 27001 requires that you conduct risk assessments, determine the security controls required and review the effectiveness of the controls applied on a regular basis.

SOC2, on the other hand, focuses on the internal controls connected to the operating environment of a company. The controls are related to any combination of Availability, Security, Confidentiality, Processing Integrity, or Privacy. The standard covers basic static security practices.

 Payment Card Industry Data Security Standard (PCI DSS) is a standard that is defined by industry groups and is suitable for any company that stores, processes, and transmits credit card information. PCI DSS has 6 main goals, broken down into 12 requirements that need to be achieved in order to obtain the PCI DSS compliant certification. The standard gives a practical set of best practices for fintech companies, is more technical in nature and caters specifically to the data security of credit card information stored, processed or transmitted.

With the exception of BCP/DRP and possibly forensic investigation, PCI DSS pretty much touches on all security domains, from how to manage your network security, security patches, cardholder data security, encryption at rest and in transit, vulnerability management, antivirus/anti-malware deployment and all the way to Secure Software Development lifecycle, access control, audit trail, security testing, physical security as well as policies and procedures you should have in place.

Another advantage of PCI DSS is the flexibility it offers. If you elect to adopt PCI DSS, you are not bound to implement the full extent of PCI DSS.  The number of requirements that apply to your business is dependent on how you have set up your environment, that is, what’s the total volume of transactions, how does the CDE (cardholder data environment) look like, how many payment card numbers your company stores, processes, or transmits. So, minimizing the number of such instances will make the standard simpler to comply with.

Here is a small checklist which will help you to decide. Go for:

• PCI DSS, if you’re looking to adopt a highly technical standard and would like to incorporate all the best practices relevant to credit card information security. This will also help you gain the trust of your customer and business partners.
• ISO 27001, if you’re looking for creating a complete information security management system. It offers a generic set of requirements which you are free to interpret and apply and is applicable to any organization.
• SOC 2, if you’re looking for reporting to your customers and business partners where you are in terms of basic security principles and criteria.

Though there are many standards and frameworks, PCI DSS might be the best choice to implement actual technical guidelines relevant to Fintech startups. It can serve as a baseline standard with which you can start your information security journey and later on, complement it with an information security management system and detailed risk assessments that ISO 27001 offers. SOC 2 would be a good starting point to demonstrate some kind of basic security posture for your customers but lacks the technical depth that PCI DSS offers.

GRSee Consulting is the first Qualified Security Assessors (QSA) company in the world to certify a fully AWS hosted environment to PCI-DSS. Call us now and get your PCI-DSS certification.