iPay Secure Payment is a disruptive next-generation digital app that is contributing to the displacement of traditional financial services companies in the payments arena.
It gives consumers an alternative way to make secure instant electronic payments, with none of the transaction fees banks typically charge.
iPay has achieved Payment Card Industry Data Security Standard (PCI DSS) v3.2 accreditation with the help of Galix, an accredited PCI Quality Security Assessor.
Mitchan Adams, iPay’s CTIO, comments: “Passing the PCI DSS audit certifies that iPay has put in place all of the industry standard best practices required for handling sensitive customer data. It gives our customers, and the banks, the surety that their data is in safe hands.”
The iPay app enables consumers to make an instant, secure EFT (electronic fund transfer) payment straight into any bank account. That’s right – no credit card required. And consumers don’t need to pay the standard transaction fees that the banks and the credit card companies demand to complete the transaction. The merchant pays and is happy to since the transaction fee iPay requests is substantially less than a credit card company would charge. Everyone saves. So why did iPay need the PCI DSS accreditation if credit cards are not going to be their clients’ a primary means of payment?
For iPay, the PCI DSS accreditation opens a number of doors in terms of new business models and markets.
Says Adams: “Because we are a new-generation service provider, the banks wanted the assurance that we understood and enforced the security requirements needed to process payments. We are exploring additional partner models that will assist the banks to offer their clients instant EFT options – a move that will expand iPay’s customer base and also offer the bank’s clients new ways to transact.
“In addition, the PCI DSS standards align with ISO 270001 information security management system standards. Both sets of standards have worldwide recognition so are particularly relevant if we want to enter international markets with iPay, something we are currently exploring.”
The PCI DSS certification took six month to achieve. It included gathering evidence and putting policies in place.
Johannes Briel, qualified security assessor (QSA) at Galix, explains: “PCI DSS certification is complex. The standard covers every system within iPay that has anything to do with sensitive payment or credit card information – how the data enters and exits an organisation, who has access to it or handles it, how it is used, transported and stored. It covers the people, processes, the physical facility and the technology (software, hardware, network security) – as well as every other system that intersects with these systems.”
A particular challenge was moving the iPay operations out of a hosted cloud environment and onto its own infrastructure.
Says Briel: “As part of the audit, new hardware was specified to handle the volume of transactions and backup requirements. Once it was in place, we could get on with the measuring, monitoring and testing required to meet the PCI standards. iPay already had a number of governance policies in place but PCI is very specific, so we built on those.
Adams adds: “The audit took six months to complete, which I believe was well done. We are pleased with the assistance we received from Galix and will continue the relationship, receiving ongoing support from Galix to ensure we meet quarterly and annual audit requirements.”
Notes Briel: “We believe our services is more about partnering with our clients to deliver value then just doing an audit. These standards are important to iPay’s credibility in a competitive market, giving customers, prospective partners and consumers the confidence that their services are well secured – to world-class standards.”