Skip to content

15.10.2024 | Last updated: 15.10.2024

13 min read

Security questions to ask in your payment hub RFP

Executive summary:

Security is one of the top aspects you should tackle when drafting a Request for Proposal (RFP) for payment hubs or other cloud-based services. Vendors must show that they have strong measures to protect your data, ensure compliance, and prevent breaches. But what specific questions should you ask to verify their security practices?   

Brian Hopkins, CISO at Nomentia, offers a list of critical security-related questions to include in your RFP. He also provides practical tips for evaluating vendor responses and identifying what makes a vendor’s security solid or weak. Additionally, Brian highlights common mistakes companies often make when crafting security questions for payment hub RFPs and suggests ways to avoid them. 

more

 

Meet our security expert

Brian Hopkins, Chief Information Security Officer at Nomentia

Brian is responsible for internal operations and processes at Nomentia, including information security, data privacy and corporate ICT. Brian has over two decades of experience in payment automation including key roles in product delivery, product management, carve-out projects, HR and information security.   

Brian’s extensive experience and close customer co-operation has perfected his deep understanding of how cash management has evolved in organizations, from manual repetition to process automation and exception management. 

brian-hopkins

    

 

Why are security questions essential in Requests for Proposal (RFP)?   

 

In a traditional on-premises model, the organization needs to manage its own security. However, when purchasing cloud-based services, particularly for critical tools like payment hubs, the provider becomes responsible for the protection and continuity of the service. As a purchaser, you need to be sure that the vendor you choose maintains the highest security standards.   

When looking for a payment hub, a cloud-based solution, companies typically issue Requests for Proposal (RFP) to outline their project requirements, expectations, and evaluation criteria. This process enables vendors to submit proposals to meet those needs. Since the vendor is responsible for security, security must be a key focus in the RFP. This ensures the provider can protect sensitive data, comply with regulations, and maintain continuity in case of incidents. To effectively evaluate the vendors well, first, asking the right questions about security in RFP is a must!   

In the next section, Brian will share important security areas where you should have questions for vendors and some examples of questions you can use.

 

Key security questions in your payment hub RFP   

When building security questions for a payment hub RFP, the approach can vary based on the size, needs, and industry of the organization. Larger companies may seek more specific and detailed needs, while smaller ones focus on high-level concerns. However, you should always include certain key areas in an RFP. Here are aspects and example questions to assess a vendor's security capabilities:

Certifications and assurance reports

First, you should check with vendors to see whether they have relevant certifications, for example, ISO/IEC 27001, since they cover important aspects like physical security, HR security, access control, and business continuity. These certifications are audited by independent third parties, ensuring the vendor adheres to industry-standard security practices. If a vendor has these certifications, companies usually do not have to have many follow-up questions with many details required. 

In addition to certifications, request assurance reports from independent auditors. These reports, like the SOC 2, ISAE 3000 series, and ISAE 3402 series, provide detailed insights into the vendor’s security measures. Brian emphasizes that audit reports from a third party can show the vendor’s strengths and reveal any gaps that may need improvement.

 

Example questions for your RFP: 

Do you hold security certifications such as ISO/IEC 27001? 

Can you provide independent third-party audit reports?

HR security

Since people are often considered the weakest link in any security chain, companies should focus on evaluating vendor's HR security. Ask how the vendor trains employees on security practices and whether they perform regular background checks. By asking such questions, companies can get a full view of how employees are trained and re-screened, ensuring that the vendor’s workforce can handle sensitive data securely.

 

Example questions:   

How do you train employees on security protocols, and how often are they retrained?   

Do you conduct background checks and periodic re-screenings for employees?

Access control   

Access control is one of the top security measures to assess. You should thoroughly understand a vendor's capabilities in managing and limiting access of their employees to both their own and customer’s data and systems. The vendors should implement the principle of least-privilege access, allowing their employees to have only the minimum access necessary for their jobs. This minimizes the risk of data misuse or breaches.   

Additionally, it’s important to ask about the onboarding and offboarding processes for managing access rights. Additionally, inquire about their onboarding and offboarding processes. You want to ensure that former employees’ access to systems is revoked immediately to prevent unauthorized data access. Understanding how vendors control access—especially for privileged roles—will give you confidence in their ability to maintain a secure environment.

 

Example questions:   

How do you ensure employees follow the least-privilege access principle?   

What processes are in place for managing and revoking employee access?   

How often are access rights reviewed and updated?

Physical security   

While much of the security is digital, the physical security of the vendor’s data centers and offices is just as critical. Ask about the security measures to protect physical assets, such as surveillance cameras, biometric access, and visitor logging. You should also inquire about how they monitor and control access to these facilities. 

If the vendor operates data centers, you should check if they have protocols for potential disasters like floods, fires, or power outages.

 

Example questions:   

Do you use any physical security measures at your offices and data centers? And what are they in detail? 

Do you log and monitor access to these facilities, and how do you control visitor access?   

How do you ensure business continuity in the event of a physical disaster?   

Network security   

The next one on the list to assess is the vendor’s network security measures, such as segmentation of sensitive systems and firewall protections. The vendors must divide networks into segments to effectively prevent the spread of any potential breach, ensuring that sensitive data remains secure even if one area is compromised.   

Another aspect is vulnerability scanning and penetration testing. Brian highlights the importance of frequent testing, as it ensures that vulnerabilities are identified and resolved before they can be exploited.

 

Example questions:   

How do you segment your network to protect sensitive systems?   

How often do you conduct vulnerability scanning and penetration testing?   

Do you use third-party testers in addition to internal teams?

Secure development   

You should ask vendors about their secure development lifecycle (SDLC) if they develop software. Security should be embedded in every development phase, from planning to deployment. This is why Brian recommends asking if the vendor uses tools like static code analysis to catch vulnerabilities early on.  

In addition, it’s worth inquiring about how they manage third-party components. Typically, modern cloud services today use dozens or even hundreds of third-party components as part of the service offering. A vulnerability in these components can cause damage even though the actual program code produced by the service provider would be secure. Make sure they scan these third-party components for potential vulnerabilities as part of their security process. 

Conducting penetration testing on new features before release is worth asking about. If there are any security weaknesses in the new code, they are identified and addressed immediately before going live.

 

Example questions:  

Do you follow a secure development lifecycle (SDLC)?   

Which tools do you use for static code analysis and vulnerability scanning?   

How often do you conduct penetration testing on new features?   

Incident response

Even though a system can be highly secure, it does not mean that it can be immune to breaches. In that case, how vendors respond to incidents matters significantly. You’ll want to ensure they have a documented process for identifying, responding to, and mitigating security incidents. Regular testing of their response process ensures they can handle real-life breaches efficiently.   

Brian also points out that clear communication protocols are also key to an effective incident response plan. The vendor should be able to inform you promptly of any data breaches and provide a detailed remediation plan. Additionally, it's essential to consider the regulatory landscape when discussing incident response. For instance, EU GDPR mandates specific reporting obligations for data breaches, which the service provider must commit to. These terms should always be outlined in the data processing agreement, which is typically included as a contract appendix for the service provided. This ensures both compliance and accountability in the event of a breach. 

 

Example questions:   

Do you have a documented incident response plan, and how often is it tested?   

What is your process for prioritizing and responding to incidents?   

How will you communicate with us in the event of a security breach? 

How do you ensure compliance with regulatory requirements like GDPR in case of a data breach? 


Avoiding mistakes in RFP security questions and evaluating vendor responses

Common mistakes when asking security questions in an RFP

Brian notes that many buyers make the mistake of relying too heavily on detailed questionnaires, sometimes with hundreds of questions. Instead, focus on high-level security certifications and reports, often covering the same ground as these detailed inquiries. You should:   

  • Rely on certifications: Trust the thoroughness of third-party audits and avoid overwhelming your RFP with redundant questions.   
  • Allow for open responses: Give vendors room to explain their answers rather than forcing them into restrictive “yes/no” choices. 

Indicators of vendors with good security standards   

Asking the right security questions in a payment hub RFP is a crucial first step, but equally important is evaluating the vendor's responses. The assessment process will vary depending on your company's specific systems and needs. However, Brian suggests some universal indicators that most companies can use to make an initial judgment of a vendor's security potential. These early signs can help narrow down vendors that align with your security requirements before conducting a deeper evaluation

  • Certifications: Vendors with certifications like ISO 27001 or SOC 2 Type 2 demonstrate strong security practices that are regularly audited. These certifications should suffice, and vendors may rely on them rather than providing lengthy answers or sharing internal policies. 
  • Comprehensive answer: However, if a vendor lacks certifications, they should offer thorough explanations backed by policies and processes rather than simple "yes" or "no" answers. 
  • Regular testing: Look for evidence of frequent penetration testing, vulnerability scanning, and continuous improvement in security practices.   
  • Incident management: A well-documented and tested incident response process indicates that the vendor can handle potential security breaches promptly and efficiently.

Right security questions to the right payment hub solution vendors

When evaluating vendors in an RFP, asking the right security questions is crucial to ensure that your service provider meets your organization’s standards. Every company has different security needs, depending on its size, industry, and specific concerns. These factors should be carefully reflected in the security questions. By focusing on key areas like certifications, access control, incident response, and encryption, you can gain the assurance you need for a secure partnership. Ensure your RFP process is focused and efficient by relying on industry standards and certifications and avoid overwhelming your vendors with overly detailed questions that don’t add value. 

If you're considering how best to navigate the challenges of payment security or need expert advice on setting up a payment hub that aligns with your business needs, exploring tailored solutions can provide the clarity you need. For those looking for further guidance or payment hub solutions, Nomentia is available to support you along the way. Feel free to contact our team members to explore how we can support your needs.

Read more about payment hubs: