10 Jul The Security Certifications Your Outsourced Service Provider Needs to Have
A critical consideration today when outsourcing business communications and payment services is security. Third-party providers that offer electronic billing solutions should be carefully vetted to ensure that they possess the highest security standards for storing, processing and transmitting credit cards and ACH payments, including data security, authentication and non-repudiation of bills.
Finding a third-party provider that meets your company’s criteria when it comes to security can feel overwhelming. However, certification is a great way to validate a provider’s security program, because most security certifications require companies to implement risk management, contingency planning, technical safeguards and other security controls as part of the assessment process.
In considering what certifications are important, we advise clients to learn about the security frameworks that address the unique requirements of their industry. For example, if yours is a company that accepts credit card payments, your outsourced provider should maintain PCI certification. Overseen by the Payment Card Industry Security Standards Council (PCI SSC), PCI certification requires businesses to meet stringent requirements, including change management processes, continuous monitoring and maintaining seven critical security controls throughout the year.
Having HITRUST certification is very important for businesses that handle protected health information. The HITRUST Common Security Framework (CSF) provides a mechanism for companies to address rigorous HIPAA standards. HITRUST CSF is also mapped to several other security requirements, like NIST, FedRAMP and the EU’s recently implemented General Data Protection Regulation (GDPR).
For companies handling transactional communications in financial services, the AICPA offers SOC 2 reporting, which assesses a company’s security program against five Trust Services Principles. As an added bonus, SOC 2 reporting is widely recognized across multiple industries.
Some security frameworks allow you to address multiple security requirements using a single certification. The HITRUST CFS is a great example of this “assess once, report many” approach to certification. For example, the HITRUST Alliance has partnered with the AICPA, which oversees SOC 2 attestations, to offer a joint reporting process that allows businesses to use the HITRUST CSF and CSF Assurance programs for SOC 2 reporting.
A third-party provider that maintains these certifications demonstrates the ability to pass rigorous audits that incorporate a broad range of security requirements. Additionally, maintaining multiple certifications also ensures that the provider you choose is engaging in a process of continuous improvement, addressing any gaps in their security programs – and taking every opportunity available to establish and maintain the highest level of security and compliance for your business.