Compliance Checklist: What to Ask Your Payments Vendor About Security 

January 20, 2025 | Posted by PayQuicker in Articles

When it comes to global payouts, choosing a secure and compliant payments vendor is critical. Compliance standards like SOC 1 and SOC 2 are no longer “nice-to-haves” but essentials, ensuring that vendors can meet security, privacy, and operational requirements. Security and compliance should be woven into the culture and processes of your payments partner. To guide businesses through this process, Edward Woodfield, Chief Information Security Officer at PayQuicker, shares what companies should prioritize when assessing a global payments vendor. Below are some essential questions for evaluating vendors, the answers companies should seek, and red flags to watch for in the RFP process. 

There are some obvious table stakes when it comes to security and data protection for financial applications: 

PayQuicker attests to all the above, plus some other significant additions: 

  • Added device identification for portal users 
  • Enhanced business continuity with partners, using queued transactions and automated retries to partner API connections 
  • Data minimization (only asking / storing what is needed) 
  • Extra fraud controls (e.g., running OFAC checks on ALL money movement) 
  • High level of transparency (i.e., public uptime tracker, public trust center, questionnaire fulfillment, up-to-date articles) 
  • Contractual attestation to privacy and data protection (e.g., we sign DPAs and GDPR SCCs as needed) 

Table 1: Vendor Differentiators

Top Questions to Ask During Vendor Evaluation 

You can discover much of the above information by reading SOC 1 and SOC 2 reports, or by having companies fill out questionnaires with relevant questions and evidence requests, but to get a good idea of the quality of a vendor’s security and compliance program quickly, start with these questions: 

  1. Do you have SOC 1 Type II and SOC 2 Type II compliance certifications? 
  • Why It’s Important: SOC 1 compliance signifies that a vendor has strong financial controls in place. SOC 2 compliance signifies data protections are in place for the certified (application) scope. Type II reports are tested over a defined period of time, providing evidence that these processes are in place for related business-as-usual activities. 
  • What to Look For: Vendors should provide evidence of current, unexpired SOC Type II certifications. Bridge letters should be easy to obtain on request as well. Make sure the SOC 2 report is of the application and not just from the data center or cloud provider hosting the application. 
  • Red Flags: Lack of SOC certifications. Providing just data center SOC reports. Type I reports should only be used for first-time audits prior to planned Type II audits. Reports older than a year have expired (Type II reports are certified for one year past the end of the defined audit period). 
  1. Are you PCI compliant? [Only applicable for payment card processing – credit or debit] 
  • Why It’s Important: PCI compliance signifies that a vendor implements all applicable controls that all major credit card companies require. PCI 4.0 even adds many requirements for strong enterprise controls and processes, especially adding many new risk management requirements in the PCI data security standard (PCI DSS), so this is extra proof of a good security program. 
  • What to Look For: Vendors should provide evidence of current, unexpired PCI certifications. Any SAQ audit reports should be signed by an external auditor. Make sure the PCI report is for the company itself, and not one they passed you from a partner or cloud hosting solution. The best would be a current PCI DSS 4.0.1 Level 1 report (Level 1 means it is certified for the highest tier of annual transactions). 
  • Red Flags: Lack of PCI certifications for the application(s) in question. The use of verbiage like “we have customers that are PCI compliant” or “we use PCI compliant partners, like AWS or Azure” means they do not have their own independent audit, even though they should. Reports older than a year have expired (all PCI reports are certified for one year past the date signed). 
  1. Does your privacy policy include compliance with all global privacy laws and regulations, like GDPR and CCPA/CPRA? 
  • Why It’s Important: This is proof of privacy being integrated into a security program, as well as the business accepting its global privacy responsibilities. Many companies say they are GDPR compliant but may not be willing to sign GDPR SCCs when asked. 
  • What to Look For: Many companies say they are GDPR compliant but may not be willing to put that in writing. Though there are compliance audits that can be done (e.g., SOC 2 Privacy TSC, ISO 27018, ISO 27701), most companies do not certify. A great sign of compliance is the SOC 2 report including the Privacy TSC (trusted services criteria), and if not present ask for attestation to the EU-US Data Privacy Framework (“DPF”). As a last resort you can ask for evidence from corporate policies. The best sign is a willingness to sign GDPR SCCs (or other DPA contract addendums) when asked, since that forces contractual compliance and can add specific SLAs. 
  • Red Flags: Lack of a robust privacy policy. Lack of any audit or attestation (i.e., missing in SOC 2 and no DPF attestation). Unwillingness to either include or sign any requested contractual terms specific to privacy, data protection/handling, or breach notification. 

Summary Review 

Since we are all in the financial services industry, we are not only heavily regulated, but also at greater risk of attack, fraud, and monetary loss. As noted at the start, many requirements are table stakes for our lines of business. The most important thing to note is that no fintech partner should provide an obtuse answer to any of these questions. They should already have them prepared as part of business as usual, make them available in a fully transparent way, and even have proof that a third party audited them for various aspects of their programs and applications (e.g., SOC 2, PCI). 

It is fine if third parties are leveraged to implement a lot of these controls, and in fact it is difficult for all about the largest companies to do most things on their own, but there must be robust vendor risk management, with critical partners clearly called out in audit reports and/or other online postings.  

Think Twice whenever you receive a vague answer or note an unwillingness to share basic information. Though internal policies and other documents are proprietary, and certain detailed reports like SOC 2 should be expected to be behind an NDA, basic information retrieval should be low-friction and answers confident and clear. Beware of vendors who downplay external, independent audits, and especially avoid those who do not have security, data protection, and privacy terms in their contracts (or are not willing to complete DPAs or GDPR SCCs). 

Compliance-Driven Innovation: PayQuicker’s Approach to Secure Payments 

At PayQuicker, we understand that compliance isn’t just a requirement – it’s independent proof of our commitment to safeguarding our clients and their payees. That’s why we’ve invested in and achieved certifications for SOC 1 Type II, SOC 2 Type II, and PCI DSS 4.0.1 Level 1 for Service Providers. This has been business as usual at PayQuicker for a while now, and we will continue to expand our compliance program. These certifications underscore our rigorous internal controls, data protection measures, and continuous compliance practices, all designed to ensure a secure and seamless experience for our clients. By partnering with PayQuicker, businesses can trust that their global payouts are managed with top-tier security and compliance standards. 

Please visit PayQuicker’s Trust Center to learn more or speak with one of our team members today.  

BROWSE BY TOPIC

FOLLOW US

PayQuicker Insights

Hear from our experts on the latest news and trends shaping the global payouts industry.