Omnichannel Payment Security Solutions

The California Consumer Privacy Act (CCPA) gives consumers control over the personal information that businesses collect about them, including their name, social security number, email address and biometric data.

‍Organisations can be sued for data breaches of non-encrypted and non-redacted data where reasonable security procedures and practices have not been in place to protect it.

The Health Insurance Portability and Accountability Act of1996 (HIPAA) is a US federal law which protects sensitive patient health information from being disclosed without the patient’s consent or knowledge.
‍
A major element of HIPAA is the Privacy Rule, which ensures that individuals’ protected health information (PHI) is properly protected while allowing the sensitive information to flow effectively.  This rule is supported with the Security Rule, which requires all individually identifiable health information created, received, maintained, or transmitted in electronic form (electronic Protected Health Information - e-PHI) to be securely managed.

To comply with the HIPAA Security Rule, all parties must:

• Ensure the confidentiality, integrity, and availability of all electronic protected health information
• Detect and safeguard against anticipated threats to the security of the information
• Protect against anticipated impermissible uses or disclosures
• Certify compliance by their workforce

The European Union Payment Services (PSD 2) - Directive (EU) 2015/2366 is commonly referred to as PSD2.  This legislation is also applicable in the UK as an element of the Payment Services Regulations (PSR) 2017.
‍
The legislation was enacted in part to require providers of payment services and third-party payment service providers to improve customer authentication processes and introduce Strong Customer Authentication (SCA) protocols, such as two factor authentication (2FA).
‍
The widespread implementation of 3D Secure version 2 security protocol (3DS2) and other multi-factor authentication processes in consumer and business payment environments is a result of the Directive.

The UK Financial Conduct Authority’s telephone and electronic communication recording rules were derived from the EU Markets in Financial Instruments Directive (Directive 2004/65/EC).

The FCA SYSC 10A requires full and accurate records of financial service industry transactions, including telephone conversations, and electronic communications must be retained for at least six months.

The European Securities and Markets Authority (ESMA) Markets in Financial Instruments Directive (MiFID II) and the Markets in Financial Instruments Regulation (MiFIR) are a legislative framework that covers a wide range of financial instruments and market activities.

Within this body of legislation there is an obligation to retain secure audited and accessible records for a minimum period of five years from the date of the communication.

The Gramm-Leach-Bliley Act (Financial Services Modernization Act of 1999) is a US federal law that controls the management of private consumer information by financial institutions and business that supply credit or finance as part of their offering (for example, auto dealers).
‍
Under the GLBA Safeguards & Privacy Rules, financial institutions and businesses must control, secure and protect the non-public information (NPI) they collect, store, share and process.
‍
The Safeguards Rule has two key elements:, financial institutions should implement both logical and physical security protocols, and provide breach notifications when NPI is compromised.
‍
Penalties for failure to comply with GLBA are potentially severe, with civil fines of $100,000 per violation, and officers/directors may face personal liability fines per-violation of $10,000.

Nacha develops, governs, manages and enforces the operating rules for the Automated Clearing House (ACH) Network which powers the Direct Deposits and Direct Payments for US banks and credit unions.

Managed and published by the International Organization for Standardisation (ISO) in partnership with the International Electrotechnical Commission (IEC), ISO/IEC 27001 is globally recognised as the leading standard and framework for information security.
‍
The ISO 27001 framework enables organisations to protect their information in a systematic way using an Information Security Management System (ISMS).

The 3D Secure version 2 security protocol aims to prevent the fraudulent use of credit cards by multi-factor authentication of cardholders in card-not-present (CNP) transactions.

It is developed and managed by EMVCo, an organisation jointly owned by major payment card brands. The three domains in which the protocol operates are the issuer, acquirer and interoperability domains (hence ‘3D’).