Security is paramount to smooth operations and mitigate risk. This is especially important when partnering with a payment provider to ensure all data is safeguarded, and you and your students are protected from data breaches, fraud, scams, compliance violations, and more.
Here are four questions you should ask any payment provider to be sure you are covered.
1. What is your ADA accessibility rating and how is it tested?
Payment providers can use any number of tools to assess American Disabilities Act (ADA) compliance, and the tools all vary in how and what they report on. Consider what tools each provider uses, whether they run manual audits, and how often audits are conducted. Without monthly audits and multiple assessment tools and manual checks, provider compliance may be in jeopardy.
2. Are your vendors SOC II compliant?
Service Organization Control (SOC) II type 2 is a review of an organization’s internal controls to ensure data remains secure and confidential. An external auditor also evaluates the cyber security program to confirm the program has implemented both preventive and detective controls to avoid unauthorized access and disclosure of information. It’s important to determine who has a SOC II (your provider or their vendors) and what is covered in their SOC audit (security, availability, confidentiality, processing integrity, and privacy). If your payment provider does not have a SOC II in place and instead relies on their vendor, it will be difficult to know how their internal controls really work.
3. What level of PCI compliance do you have?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. Being PCI compliant ensures a vendor’s systems are secure and help prevent payment card fraud. There are four levels of PCI compliance depending on the number of transactions processed annually, and the scope of the audit varies by level - the lower the level, the more detailed the evaluation. Level 1 compliance is the highest standard, and with this in place, you can be sure your students’ sensitive payment card information is safeguarded.
4. How do you maintain data privacy standards?
With regulations constantly changing, it is important that vendors take necessary steps to stay ahead of the requirements to ensure compliance. From General Data Protection Regulation (GDPR) and Personal Information Protection & Electronic Data Act (PIPEDA) to Family Education Rights & Privacy Act (FERPA), data privacy regulations can be complex and vary worldwide. Check to see if your payment providers have a Privacy Officer dedicated to maintaining privacy standards, and find out how they stay on top of these regulations. Failure to comply may put you and your students at risk and can prove costly.
First-class security & privacy with Flywire
Flywire is committed to maintaining the highest level of security and privacy standards to protect our client institutions and the students and families they serve. Flywire undergoes a SOC II review annually and is compliant with ADA, PCI, and privacy regulations (GDPR, CCPA, PIPEDA, FERPA, etc).
Our global payment network allows us to securely process and settle funds to your bank account regardless of cross-border or domestic transactions. In addition, our bank-grade encryption ensures funds and all data associated are safely and accurately delivered to your institution. To further protect our clients and payers, we continually monitor the dark web and inform anyone if their information may have been exposed or compromised. Flywire also requires our vendors to be SOC II compliant, and we maintain a robust vendor management program that is included in our audit. Additionally, our dedicated Privacy Officer is part of the International Association of Privacy Professionals and constantly monitors changing requirements and regulations to ensure Flywire’s compliance.