“As an extension of our team, our Sysnet assessors have brought us a lot of credibility because they clearly know about the subject matter and can apply it pragmatically to our business challenges.”
Simon Martin, Global Head of the Security Governance and Compliance team at Worldpay.
Worldpay is a global leader in payments processing technology and solutions for merchant customers. It operates reliable and secure proprietary technology platforms that enable merchants to accept a vast array of payment types, across multiple channels, anywhere in the world.
Worldpay has been a pioneer in card payments, multi-currency processing, online payments and contactless, and is aiming to lead the way in data analytics and optimisation as well as the emerging field of integrated payments.
On a typical day, Worldpay processes more than 31 million mobile, online and in-store transactions. It supports 400,000 merchants in 126 currencies across 146 countries, offering more than 300 payment methods.
Worldpay’s objective is to be a world leader in security. Assuring policy and security controls across the enterprise is a crucial function and a number of teams work together to ensure that controls are embedded into the design, build, test and eventual deployment of new products as well as in changes to existing products.
To validate the work done by these teams, Worldpay engaged Sysnet’s consulting division to undertake its annual assessment. Sysnet has worked with Worldpay on a variety of projects over the last five years and this was a logical extension of that relationship.
Compliance-related issues include anticipating new and emerging threats, helping to shape evolving standards and – perhaps most significantly – balancing innovation with compliance requirements. Worldpay sums up its approach as ‘responsible innovation’.
As part of its drive for innovation, the company is employing leading edge technologies. Worldpay’s Global Security Services teams constantly have to stay ahead of new developments and anticipate the risks and challenges these may pose when being introduced to the environment. These challenges include those of compliance; after all new technical innovations do not always readily align with standards such as PCI DSS.
One of the reasons for this is the complexity in interpretation of the PCI DSS standards – an area in which Worldpay leans heavily on the expertise of Sysnet. It is commonplace for business initiatives, technical innovations and PCI’s referral to external requirements such as those of NIST, to require an interpretation from a PCI perspective. Whilst Worldpay’s Security Governance and Compliance team provide this across the Worldpay organization, there are often situations that challenge the team. This is one area where Worldpay’s partnership with Sysnet truly realizes its value.
“One of the most important aspects of the service Sysnet provides is that its QSAs (Qualified Security Assessors) are not only familiar with the latest developments in technology – they are also able to come armed with practical and pragmatic solutions to business as well as technical issues to ensure compliance is maintained,” says Simon Martin, Global Head of the Security Governance and Compliance team at Worldpay.“This is an approach we don’t often see from other partners.”
“When we bring the QSAs to the table with our technical or business teams they are effectively an extended part of our team. If a question cannot be answered correctly or comprehensively, it undermines our credibility,” adds Simon. “As an extension of our team, our Sysnet assessors have brought us a lot of credibility because they clearly know about the subject matter and can apply it pragmatically to our business challenges.”
This has enabled Simon’s team to raise its game, making it more sustainable and stronger in its security controls. The team appreciates the difference between a box-ticking approach to compliance and working with specialists who have genuine technical insight, can interpret the intent of the requirement and determine if the technology, and its supporting processes, is meeting that intent and how it can be improved.
Worldpay has also used Sysnet’s project support unit for support in reviewing documentation and providing feedback on issues that required attention, highlighting potential non-conformities and enabling the QSA to focus on finding solutions.
Sarah Tapping, who has responsibility for Global Industry Compliance within Worldpay’s security practices, acknowledges that in the past there had been some resistance to utilising the project support unit because of concerns they wouldn’t have the intimate assessment knowledge and were perceived to be duplicate resource.
“Having worked with the team I would definitely recommend this approach to other customers” she says. “We gather a large volume of evidence during audits and the project support unit are able to focus on the evidence review instead of tying up the QSA. This allows the QSA to focus on consultancy or onsite audit activity and therefore allows me to run multiple audits simultaneously with only one QSA.”
One of the most valuable aspects of Sysnet’s work with Worldpay is that it can deliver separate Reports on Compliance for each of its customer propositions (e-commerce, integrated payments, acquiring, etc). This has helped the Security Governance and Compliance team deliver against its business needs in suppling ROCs and AOCs for individual products.
“This has helped us raise the bar in terms of achieving security initiatives that would otherwise have been a lesser priority and put us on a good footing to start to mature our programmes around various security disciplines in areas such as network security or product development,” says Simon. “We are well placed to push on and become more mature and innovative in those spaces.”
Whilst often needing to audit by product in order to meet customer needs, Worldpay has still managed to unify its audit activities. Assessing against the practice rather than the individual system has helped the company unify these assessments and leverage economies of scale and efficiencies.
“Worldpay wanted to reduce audit activity overhead to allow stakeholders to concentrate maintaining day to day compliance and also to encourage PCI to be seen as a BAU activity. Sysnet has supported us throughout these efficiency drives by identifying synergies in technologies and processes, whilst ensuring that we do not compromise on the quality of our audits” says Sarah.
Consistency of approach has been a core element of the relationship between Worldpay and Sysnet. Sysnet’s QSAs have become deeply knowledgeable about the business and its people and thus quickly and easily integrated into the internal teams.
Worldpay operates a large and complex environment in a fast moving business. Over the last few years the company has undertaken a number of challenging projects, including migrating a number of data centres during the assessment period.
In addition, in January 2018 Vantiv – a leading provider of payment processing services and related technology solutions for merchants and financial institutions in the US – announced that it had completed the acquisition of Worldpay Group.
“The Sysnet QSAs were a key element of the data centre migration teams, providing guidance so that the facilities were compliant at the point they migrated rather than migrating the facilities and then having a period of working through the compliance aspects,” says Simon.
“Obviously the biggest challenge we have faced in terms of complexity is that we have merged with another company. That will create further challenges but I have every confidence that the Sysnet team will take this in their stride.”
Simon says his experience of working with Sysnet has been extremely positive. “Sysnet has become a mainstay of our overall compliance program. I look forward to continuing our journey with them and expanding our relationship into new ventures,” he concludes.
