FISERV Delivers: Safety, Security, and Compliance with HITRUST r2 (formerly CSF) Certification

HITRUST in the Financial Services Technology Sector

In today’s rapidly evolving and increasingly complex digital landscape, data protection is more critical than ever before. Customers want to be sure that companies with whom they do business are taking every imaginable precaution to safeguard their data. Many companies are not only expected to protect their customers’ most sensitive financial information and manage information risk, but they also must be able to deftly handle another layer of complexity — the strict compliance and regulatory requirements across the various industries they serve.

Staying current on proposed compliance changes, updates to existing regulations, and rollouts of new regulations can be overwhelming. And when ample amounts of time and resources are spent achieving and maintaining compliance with government regulations and industry standards — including ISO, NIST, PCI DSS, GDPR, SOC 2, HIPAA, and state laws — an organization’s commitment to providing robust data security can lose the important attention it demands. By utilizing a controls-based framework that is continuously updated and industry agnostic, Fiserv ensured they stay on top of all relevant compliance standards.

Fiserv Strives to Evaluate the Security and Risk Management Efforts of its Entire Supply Chain

Fiserv Inc. is an industry leader in financial services technology that serves thousands of financial institutions and millions of businesses in more than 100 countries. The company creates and delivers multichannel billing and payment solutions, processing services, and customer and channel management across many industry sectors including banking, government, healthcare, retail, telecommunications, and utilities.

Fiserv is one of the many cross-industry organizations that are starting to adopt HITRUST. In 2017, Fiserv Biller Solutions began the journey towards HITRUST Risk-based 2-year (r2) Certification. Fiserv quickly realized that the HITRUST CSF was just as effective when used to address the other industries the company serves. The framework provides a comprehensive, flexible, and efficient approach to regulatory compliance and risk management. Organizations can tailor the security control baselines within the framework based on organization type, size, systems, and regulatory requirements.

The goal for the certification was to measure and attest to the effectiveness of its own internal security and compliance efforts to leverage the CSF to evaluate the security and risk-management efforts of its supply chain of third-party vendors. The importance of supply-chain security cannot be overstated in any industry, but it is particularly critical in the Fintech sector. It only takes one weak link in a chain to allow cybercriminals access to the entire supply chain’s ecosystem of products and services.

“One of our core values is to ‘Do the Right Thing,’ and we extend this into our risk management program,” said Brenda Magri, Senior Director of Security Strategy in Biller Solutions at Fiserv. “So, with the HITRUST CSF, we are always protecting data on behalf of ourselves as well as our clients and business partners in our ecosystem.”

With the HITRUST CSF and its established standards for data protection, Fiserv Biller Solutions now has the tools to identify security, privacy, and compliance gaps that may exist in a vendor or business partner’s processes and notify the vendor so those gaps can be closed. This protects the data of Fiserv clients and upholds the reputation of both companies.

“Our controls are aligned to the HITRUST CSF,” Magri said. “That gives us a comprehensive set of security controls along with a maturity assessment, which works more effectively than a point-in-time assessment.”

Because HITRUST’s assessments are scored based on the PRISMA maturity model, companies can compare their security and risk management scores year-over-year, lending clarity to the growing maturity of an information risk management program. If a score decreases, the IT team can evaluate if a process or training failure was the cause and then determine the necessary remediation.

“At Fiserv, we like to perform audits for that very reason,” Magri explained. “If there’s a problem, we want to know so we can fix it right away. Ultimately we want to protect data the very best we can.”

HITRUST Satisfies Customer Security Concerns

How does HITRUST benefit customers? A certification is a tool that can be leveraged across multiple industries to prove that organizations’ security and privacy controls are in place and doing what they’re meant to do, depending on the division being served.

FISERV: Demonstrating Leadership and Commitment

Fiserv helps its customers deliver financial services, solutions, and experiences that are in step with the way people live and work today. In addition to the broad expertise and industry-leading technology and service customers have come to expect from Fiserv, the HITRUST Risk-based 2-year (r2) Certification demonstrates a commitment to the robust security, privacy, and compliance programs that are required in the industries the company serves.

Magri has seen first-hand how the HITRUST CSF has helped raise the level of security and risk management awareness at Fiserv. “I have security and risk conversations with my peers, the board, the executive leadership team, the CTO, and the CSO,” said Magri. “Each conversation helps us explore a different area of security and compliance. Are things working? What gaps do we have to close? And at what remediation cost? The CSF is a great tool for getting everyone onto the same page.”

By maintaining rigorous internal security, privacy, and compliance measures as well as effectively evaluating the security and risk management of third-party vendors, Fiserv Biller Solutions can assure its customers that its entire supply chain ecosystem is protecting their most sensitive data, information, and digital assets every step of the customer journey.