Written By: Ray Jackson, Chief Information Security Officer, Telrock Systems
July 2023
More and more businesses are exploring the benefits of adopting a SaaS solution to meet their collections and recovery software needs, and there are many considerations a client organization could explore to inform their choice of preferred provider.
Ask yourself these questions:
- Is the solution truly ‘cloud native’ e.g., has the software been specifically developed to exploit the benefits and capabilities of modern cloud infrastructure in terms of
service-oriented application design, auto scaling, leveraging elastic resource capacity, consumption of APIs, use of DevOps to develop and run applications faster, utilization of self-healing, monitoring capabilities, etc? Or is it an older, legacy application, that has been partially re-assembled under the covers to operate in a cloud environment (‘cloud enabled’) but falls short of being able to fully exploit cloud infrastructure? - Does the SaaS delivery model meet the needs of the client organization in terms of the required support? For example, does the potential provider offer a 24x7x365 support model for both the software application AND the cloud infrastructure, as standard? Or is support only available during ‘normal’ office hours?
- Most client organizations strive for as much control as possible when it comes to adapting to changing business requirements as soon as possible. Is the application extensively yet easily configurable (for example to add or amend rules/workflow, add new products, fundamentally adapt the UI, amend system parameters, and amend or create interfaces) via inherent ‘no code’ administration tools that require no traditional IT or programmer resources? Or is there a reliance on provider resources or internal IT resources that might be prioritized elsewhere?
One clearly important consideration is the area of information security – does my potential solution provider have a mature and adequately assured information security posture, capable of protecting my customer data, and does that posture rise to the expectations of my customers, my internal and external stakeholders and the regulatory authority that oversees or supervises my business? Irrespective of the particular country or jurisdiction a SaaS solution provider operates in, and the specific laws and regulations impacting that solution provider, several broad themes apply; the solution provider can be described as a ‘Service Provider’ and a ‘Data Processor’, as those terms apply to relevant local laws and regulations. This article sets out to help demystify this particular area of consideration for client organizations and identify some of the nuances to help those client organizations make informed choices relevant to appropriate and required information security standards, provider accreditations and security posture.
Making Sense of Standards/Accreditations
Payment Card Industry Data Security Standard (“PCI DSS”) or ISO 27001? What about Service Organization Control (“SOC”) audits and what are Type 1 and Type 2? What are SOC Trust Services Criteria? What about other standards or accreditations?
Broadly, the PCI DSS (the “Standard”) sets out specific defined control requirements, set down by the Payment Card Industry Security Standards Council (PCI SCC), that must be met in order for organizations, such as Payment Card Merchants or Service Providers, to be deemed PCI DSS compliant. Version 4.0 of the Standard was released in March 2022, with a latest implementation date at the end of March 2025. Up until that date, organizations can attest to version 3.2.1.
There are significant updates to the Standard in version 4.0 and a summary of the changes can be found here https://listings.pcisecuritystandards.org/documents/PCI-DSS-v3-2-1-to-v4-0-Summary-of-Changes-r1.pdf. While this Standard is designed to provide a level of assurance around the security of payment card data held in a Cardholder Data Environment (“CDE”), some organizations adhere to the Standard across some or all of their enterprise (application and infrastructure), whether they process payment card data or not, thereby adopting the Standard as a broad proxy for demonstrating their information security posture for all types of confidential information. Generally speaking, a provider of SaaS collection software that either supports payment via payment cards, (whether the card data is maintained in the software database or not) or has simply adopted the Standard as a baseline information security standard, and is accredited as ‘PCI DSS compliant’, can be viewed as demonstrating some level of information security maturity.
Focusing on what matters
There is, however, a fundamental nuance in the level of PCI DSS accreditation that prospective clients should focus on – some Service Providers or Merchants (typically those with low volumes of transactions), are permitted by the PCI SCC and the primary ‘Card Schemes’ to ‘self-certify’ their compliance with the Standard, i.e., declare themselves to be compliant with the Standard, without any third-party validation. On the flip side, more mature organizations are designated as ‘Level One Service Provider’ PCI DSS compliant organizations, and in order to achieve that accreditation, are audited against the Standard by an independent Qualified Security Assessor (“QSA”), approved and authorized by the PCI SCC. Level One Service Provider organizations will typically invest more resources and third-party costs to meet the audit process burden and ensure ongoing compliance. Those solution providers that rise to the higher test of being subject to independent audit of compliance with the Standard, will be identified as ‘Level One Service Provider’ PCI DSS and will be able to produce an Attestation of Compliance (“AOC”) with the PCI DSS Standard, signed by an approved independent and authorized QSA. Prudent prospective clients of SaaS based solution providers would be well placed to recognize the potentially different information security risk posture between a self-certified solution provider and one that has been subject to independent audit.
While still aimed at providing a mechanism designed to foster a structured approach to information security assurance, instead of providing a defined set of control requirements that PCI DSS mandates, ISO 27001 provides a framework for organizations to put in place a set of policies and controls the provider believes is relevant to their organization. Achieving ISO 27001 certification demonstrates that an organization has implemented and maintained robust security controls in line with international best practices. To obtain ISO 27001 certification, organizations must undergo an audit conducted by an accredited certification body. The important nuanced difference between ISO 27001 and the PCI DSS Standard is PCI DSS tells you what it expects to see in unambiguous terms (rules-based control standard), while ISO 27001 expects you, the client, to determine what the risks your organization might be exposed to and whether the actual controls put in place by your SaaS solution provider, under the ISO 27001 framework, are actually adequate to protect your customer information (risk-based control standard).
With regard to Service Organization Control (“SOC”) audits, a SOC 2 Type 1 is an audit of controls at a specific point in time, whereas a SOC 2 Type 2 is an audit of controls over a period of time (usually a 12-month period) and provides the auditor’s opinion of the effectiveness of those controls. The latter is more beneficial to interested parties, such as clients and partners, as it is more comprehensive and shows a greater level of audit assurance. Although it covers the same controls as a Type 1, Type 2 audits go further
in-depth on the operating effectiveness of the controls, with evidence examined by the auditor, and the results of SOC 2 Type 2 are more indicative of how securely the organization operates. A SOC 2 report can test against five Trust Services Criteria: security, availability, confidentiality, privacy, and processing integrity. Service Providers can elect to be audited against some or all of the five categories, but must, as a minimum, include the Security Trust Services Criteria, which is made up of nine sub-categories that cover all aspects of information security risk.
Lastly, while PCI DSS (self or independently audited), ISO 27001 and SOC 2 Type 1 and Type 2 audits and accreditations are the most common measures of the effectiveness of a Service Provider’s information security policies and controls, some Service Providers offering solutions in the USA may, in addition or as an alternative, align their information security framework with the National Institute of Standards and Technology “NIST”, (an agency within the U.S. Department of Commerce) Cyber Security framework, particularly if the organization provides services to the U.S. Federal government, and have an audit performed against that framework. The NIST Cyber Security Framework covers 7 areas: Identity Management, Authentication and Access Control, Awareness & Training, Data Security, Info Protection & Procedures, Maintenance, and Protective Technology.
Information Security Posture
How can the broader information security posture of a Service Provider impact the security of my customer information? In particular, beyond accreditations or certifications, how does the extent to which that Service Provider demonstrates information security governance affect the security of my customer information?
Regarding a service provider’s broader information security management posture, more mature organizations will have sufficient qualified resources and separation of duties to provide a robust Three Lines of Defense (3LOD) security operating model, that client organizations expect to see and require evidence of. A robust Three Lines of Defense model will provide:
First Line: Control & Risk Ownership – IT, Information Security & Cybersecurity operational functions have the responsibility of managing risk through the protection of data and information systems from inappropriate access, manipulation, modification, and destruction, by implementing and managing people, process, and technology controls, thus ensuring systems and data confidentiality, integrity, and availability.
Second Line: Risk Management & Compliance – Reporting to senior management, the second line duties comprise of independent risk management and compliance functions to help build, monitor, and challenge the effectiveness of first line of defense controls, and information and technology risk across the organization.
Third Line: Independent Assurance – Internal or external audit functions remain independent of management, with a direct reporting line to the Governing body
(e.g., Audit Committee) providing independent assurance through the evaluation of the effectiveness of governance, risk management and control processes. External audit stakeholders include QSAs, auditors and technical assessment professionals
(e.g. penetration testers), who are required to be qualified and independent of the IT system or control custodian.
The 3LOD model provides organizational value by assisting Board and senior management with achieving organizational goals and objectives, while maintaining risk appetite through “well defined” governance practices, and focusing IT governance, security, and privacy investments in the areas most critical to the achievement of organizational objectives.
Summary
In summary, the extent to which a Service Provider protects a client’s customer data can arguably be measured by the investment and effort that a Service Provider organization has and continues to expend, and not all Service Providers are the same. On the face of it, ISO 27001 accreditation is a good thing, because it provides a framework for documenting underlying policies and controls, but if the policies and controls implemented by the Service Provider are not sufficiently robust, then information security risk can arise. Clients relying on a Service Provider’s ISO 27001 accreditation might want to examine and consider the effectiveness of the underlying policies and controls actually implemented by the Service Provider and come to an informed conclusion whether they are sufficient to meet the client’s risk appetite.
Similarly, if a client is relying on a Service Provider’s PCI DSS Attestation of Compliance, that client will likely have significantly more confidence in a Level One Service Provider’s Attestation where the PCI DSS audit has been performed by an independent Qualified Security Assessor certified by the PCI Security Standards Council, than an Attestation provided by a self-certifying Service Provider. A client can ask for sight of the Service Provider’s Attestation of Compliance to determine the level of compliance. Lastly, as noted above, a SOC 2 Type 2 audit goes further in-depth than a Type 1 audit on the operating effectiveness of the controls, with evidence examined by the auditor, and the results of SOC 2 Type 2 are more indicative of how securely the organization operates.
About Telrock Systems
Telrock Systems is a global technology provider of modern cloud-based collections and recovery software solutions for creditors and 3rd party consumer collections organizations wanting improved functionality and smarter capabilities. Our flagship solution, Optimus, is an enterprise-wide collections and recovery software platform built new from the ground up. It leverages open-source technology, powerful cloud computing, PCI DSS compliance, and more intelligent designs resulting in the broadest and richest collections and recovery Software-as-a-Service (SaaS) offering in the market. We provide our solutions in North America and Latin America (LATAM) from our Atlanta office, and in Europe, Middle East, Africa (EMEA), and Asia Pacific (ASPAC) from our London, UK office.
Telrock Systems is a Level One PCI DSS Compliant Service Provider, where the entire application and SaaS infrastructure is audited against the PCI DSS Standard by an independent Qualified Security Assessor, approved and authorized by the Payment Card Industry Security Standards Council. The company is also subject to a SOC 2 Type 2 audit of the Security Trust Services Criteria, by an independent auditor accredited by the American Institute of Certified Public Accountants (AICPA).
About the Writer
Ray Jackson is an information security governance, risk, compliance, and audit professional, with extensive payment card security knowledge, through prior delivery of IT Security consultancy and as a Payment Card Industry (PCI) Data Security Qualified Security Assessor. His qualifications include ISO 27001 Lead Auditor, and he holds a Full Membership of the Chartered Institute of Information Security (CIISec).