Why We Went for SOC2
First published: 15/12/2021
Okay is about security. But to uphold our commitment to the most sensitive part of the payment process, it means we are also committed to compliance. Taking the next steps in our compliance journey doesn’t just cover our bases in the event of an audit, but ensures that we are constantly challenging ourselves when it comes to risk, business decisions, and customer satisfaction. In this week’s blog, we talk about our 2021 compliance process with SOC2, and how we landed there.
I’ll start with a playful question from a recent call with a prospective customer: “We understand that Okay brings strong protection against hackers, but who is going to protect us against you?”
To answer this question, we start by clarifying: Okay works with financial institutions and banks, offering protection during what is seen as the most sensitive aspect of the payment process: transactions. However, transaction authorisation is so embedded into our customers’ security setup that the question is in fact legitimate.
Within their buying processes, financial organisations are required to screen their vendors to assess the security of their organisations at the due diligence stage. In practice, this means they typically send a questionnaire with 100+ questions to check whether it is safe to do business with a potential vendor.
For us, organisational security has been high on the agenda, so we started a new compliance process in 2021 after completing the most recent round of product compliance. There were a couple of “standard frameworks'' we reviewed, but we ultimately decided to opt for SOC2.
Product Compliance First, Organisational Compliance Second
The first priority was to make sure that our product, the Okay Strong Customer Authentication platform, complied with the Regulatory Technical Standards of PSD2. We updated our compliance in 2020 and early 2021 with Prosa and SRC GmbH. There is no such thing as a certification with PSD2, but a thorough audit of the product and service guaranteed our customers that they could integrate a compliant solution into their overall PSD2 effort.
The organisation's security and resilience was the next high priority item in line, as they are part of the overall service we provide. For this we looked at two sets of frameworks: the first was SOC 2, which is an audit framework designed by the American Institute of Certified Public Accountants (AICPA) to assess the security of organisations. The second was ISO/IEC27001 (or ISO27001), an international standard published by the International Organisation for Standardisation (ISO). We chose the former.
So, Why SOC2?
SOC2 is American, while ISO27001 is European. Given our focus on PSD2, we are clearly set in Europe, at least for now. So why did we go for SOC2?
We thoroughly reviewed both options and what it would mean for our organisation. SOC2 looked like a more appropriate step towards compliance for a lean organisation like Okay, and would allow us to focus on the most important aspect for our customers - security. We even compared the InfoSec (Information Security) requirements from our customers with SOC2 requirements. The conclusion? It made sense as we generally had a good match.
We also opened up the topic with our customers, prospects and partners. Although SOC2 comes from America, it is well perceived in our market by our stakeholders, and represents a token of our efforts to secure our processes and systems. This was confirmed by our auditor.
What We’re Doing
For speed and efficiency around SOC2, we used a SaaS tool from Tugboat Logic. The tool allowed us to quickly review and modify the policies that underpin all our core processes. This was also a chance to refine our GDPR-linked policies.
Afterwards, we looked at all the controls we had to put in place to monitor the policies. We also reviewed the evidence required as part of our customers’ security questionnaires to show an external auditor during a formal audit.
Our goal is to complete the process in early 2022, but note that this is no small task. To help guide us with priorities and what could be a good first level audit, we have onboarded a consultancy firm. Such an audit will take time, as one must continue to perform security checks after 6 months or 12 months.
Ultimately, we have initiated a process that we don’t plan on stopping. While we are continuously working towards compliance, it’s not just for the sake of being compliant. It also helps us drive the business in a secure fashion, regularly reassess how we do business, exposes risks and new threats, and ensures we don’t end-up with loopholes. SOC2 is therefore a sound first step for Okay and, as we grow, we will certainly revisit the framework and contemplate ISO27001 again.