Information Security

Action Summary

Financial institutions should implement the appropriate physical and logical security controls to ensure retail payment system transactions are processed, cleared, and settled in an accurate, timely, and reliable manner.  Security risk assessments should consider physical and logical security controls for the origination, approval, transmission, and storage of retail payment system transactions.  Risk assessments should include service providers, third-party originators, and external networks that process, store, or transport customer data.  Physical controls should limit access to only those staff assigned responsibility for supporting the operations and business line centers that process retail payment and accounting transactions. Physical controls should also provide for the ability to monitor and document access to these facilities.  Logical controls should include identifying and authenticating retail payment system customers to help ensure the integrity of the payments.  Particular attention to data security is required for emerging technologies.

Financial institutions should implement the appropriate physical and logical security controls to ensure retail payment system transactions are processed, cleared, and settled in an accurate, timely, and reliable manner.  Retail payment systems contain confidential customer information subject to GLBA section 501(b) security guidelines.  Payments data may also be subject to the requirements of the Payment Card Industry Data Security Standard (PCI DSS). More information on PCI Data Security Standards may be found at the website:  www.pcisecuritystandards.org. The board and management are responsible for protecting the confidentiality, integrity, and availability of these systems and data.  The privacy risk combined with the funds transfer capability should cause these systems to rank high in all institutions' information security risk assessments.  The risk assessments should consider physical and logical security controls for the origination, approval, transmission, and storage of retail payment system transactions.

Physical controls should limit access to sensitive areas to staff assigned responsibility for supporting the operations and business line centers that process retail payment and accounting transactions.  Physical controls should also provide for monitoring and documenting access to these facilities.

Management should assign appropriate logical access to staff responsible for retail payment-related services and should base access rights on the need to separate the duties of personnel responsible for originating, approving, and processing the transactions.  Appropriate identification and authentication techniques include requiring unique authenticators for each staff member with strong password requirements.

Logical access controls should permit access on a need-to-know basis and should assign access to retail payment applications and data based on functional job duties and requirements.  Logical access controls should also protect network access.  An institution's risk assessment should require protection of retail payment systems from unauthorized access through appropriate access controls, network and host configuration, operation, firewalls, and intrusion detection and monitoring.  The risk assessment should also review the security of all third-party service providers.  Some institutions accomplish this by isolating all payment-related applications and systems from other production applications.

A critical element in ensuring retail payment systems integrity is the appropriate identification and authentication of retail payment system customers.  Transaction authorization (e.g., the approval of a funds transfer or guarantee of funds) is an essential precondition leading to the interbank transfer of funds.  Financial institutions should establish an adequate internal control environment for the issuance of bankcards and related PIN.  These controls can minimize processing errors and fraud and protect the confidentiality of customer and institution information.

The use of newer and emerging technologies presents new security challenges.  As new retail payment products and services are developed, it may become necessary to modify methods for customer identification and authentication to ensure their effectiveness.

Many electronic banking applications use Internet-based, open network standards and rely on commonly accepted technologies to secure transmissions (e.g., secure socket layer [SSL] or other virtual private network [VPN]).  The institution should establish a secure session before consumers can submit their personal banking information, and should maintain the secure session until the time of final data transmission.

Retail payment systems should incorporate sufficient security procedures and controls to verify the integrity of the data, the confidentiality of the transmission, and the authenticity of the communication partners and data sources.  The selection and use of authentication technologies and methods should depend upon the results of a financial institution's risk assessment process.  Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.  Single factor authentication alone is inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.  Using digital certificates, leveraging the public key infrastructure (PKI), employing biometrics and card or token-based techniques can provide cost-effective solutions for augmenting traditional technical controls. FFIEC Guidance "Authentication in an Internet Banking Environment," October 2005 & "Authentication in an Internet Banking Environment - Supplement" June 2011.

Institutions that participate in payment card systems should develop processes to ensure compliance with the PCI DSS.  This standard is discussed further in the "Merchant Acquiring" section.

Institutions should have a response program in place that addresses security breaches, including incidents with their third-party servicers.  The program should include the investigation, customer notification, if applicable, and reporting processes for regulatory and law enforcement agencies.

 

Previous Section
Audit
Next Section
Business Continuity Planning