The cover of the OCC's merchant processing booklet.When your industry builds software or handles money electronically, standards are perhaps best filed under the "necessary evil" banner: No matter how out of touch they may seem — or what a pain they may be to people on the back end — they're created to help end users who put the money there to begin with, and that makes them worth following.

Which is why the recent revision of the Comptroller's Handbook Booklet by the Office of the Comptroller of the Currency (OCC) is so crucial to all companies involved in the merchant processing spectrum. With its 86 pages of dry language, the document is not exactly a gripping read. Here are some of the most important points we found in our look through the document, though we'd certainly advise reviewing it yourself if you're in a field governed by the OCC's regulations.

The Importance of Due Diligence

When you're a kid, holding your hands over your ears and shouting "La-la-la!" can be an excellent defense against all sorts of problems. When you're a bank engaging in merchant processing, or another company dealing with electronic funds, it's just about the poorest solution possible.

Thus, we have the OCC's major focus on due diligence. There's an emphasis on major there: A CTRL-F search of the document reveals 12 uses of the term, almost all of them related to the merchants whose payments banks process.

The focus makes sense: When it comes to financial data security, a business is only as strong as its weakest link. Third-party organizations, by definition, are under less control than a natural arm of that business would be. This is especially true in a field where banks act as a sort of insurance policy between buyer and merchant. If a merchant doesn't have the funds to cover, say, a fine or the financial drain of a major data breach, it's up to the bank backing it to hand out the money. Even if recovery options are available, the road to taking them is often fraught with more expense and hassle — to that end, keeping a sharp eye on merchants from the onset is the only sensible choice.

Technology Service Providers

Due diligence is a big deal for the OCC as it pertains to technology service providers (TSPs), a broadly defined term meant to describe pretty much any outsourced entity helping a bank reach certain technological goals, including those related to data safety and security.

The biggest focus here — again, probably not surprisingly — is making sure those third-party TSPs know their stuff. To wit: "A bank's use of a TSP to provide needed products and services does not diminish the responsibility of the board and management."

How does a merchant-processing bank go about this? It's simple, at least by the OCC's standards: To ensure a TSP is in proper shape, the bank must make sure the company applies the same rules, regulations and standards it would if it were handling the task in-house.

If you've ever dealt with a governmental entity, you know documentation is the name of the game. That's doubly true when dealing with stringent financial standards and expectations. As we noted in our "Address Proof of Software Security for Customer Requirements in 4 Steps" article, being able to provide proof of a product or service's security breaks down like this:

  • Use (and document the use of) secure coding practices;
  • Test for vulnerabilities throughout the development process — not just at the end, or at set points;
  • Educate developers on security issues;
  • Let your customers know what you're doing to stay secure
  • Produce a binary static analysis artifact to address increased requests surrounding your software security.

In this instance, rigorous documentation can save more than time and hassle — it can prevent TSPs from facing the cold, sterile wrath of several governmental entities. As the OCC's publication says, any TSP entering into a business relationship with a regulated financial institution automatically subjects itself to the authority of several governing bodies, including the OCC and the Federal Reserve Board of Governors. It's another step in the chain of accountability and due diligence preached in the document to begin with.

The good side of all this documentation, of course, is safety for the TSP itself, not to mention the financial institution that brought it on board to begin with. By taking steps to stay secure before security becomes an active concern — something we've stressed since day one — the TSP can show regulators and governmental entities alike that it knows what it's doing and intends to keep it that way.

In a field that loves its audits (49 mentions of the "a"-word in the newest OCC document alone), that's not just good business. In our view, it's the smartest way possible to do business.

Photo Source: Flickr

John is a B2B and SaaS expert who likes to explain complex concepts using cute animals and cocktail napkins. He believes that content marketing is the future and sometimes ghost writes, but he can never prove it.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.