When I was 16, I had my first experience building a bank. I had taken a job in the construction industry, where I learned that every new bank project begins with the vault. First, you build the vault, and then you construct the rest of the bank around the vault. Today my building happens on the technology side, but the concept is the same: you always start with the vault.
At Synctera, our Hardware Security Module (HSM) encryption vault is the foundation on which we build our security layers to protect our business and our customers from cyber threats and ensure compliance with SOC 2, PCI DSS, and other security standards.
This article describes the unique security approach we take with our systems, controls, and processes and demonstrates how we meet and exceed recognized security standards without creating friction in our day-to-day operations.
Modern security for a modern FinTech service
Because Synctera is a brand new technology platform, we had the luxury of building our systems, controls, and processes from the ground up. Unlike traditional financial services organizations encumbered by legacy choices, we understood how security and certifications work and were able to design and create our systems from inception – we had the destination in mind from the beginning.
Today, traditional banks have the map and destination in mind, but the path ahead is tough. Years of stacking new technologies on top of legacy systems have left them with complex technology infrastructure and a greater surface area that could be exploited by attackers.
Conversely, Synctera runs a completely serverless service landscape. We built our multi-tenancy and authorization concepts into that landscape and developed an API gateway that enforces security for entry. Having less “stuff” means we have less surface area for attack, eliminating many potential vulnerabilities.
Because Synctera has been security-minded from the outset, our security reviews and audits have been relatively straightforward.
In fact, as our acting Chief Information Security Officer, I often find myself working closely with the auditors to educate them on our modern approaches to security problem-solving. It's an opportunity for us to show off our work and how we think about securing modern FinTech stacks.
For example, auditors are used to asking questions like, “How do you secure your data center?” or, “Do you have locks on the door?” For Synctera, these questions simply don’t apply as we actually don't have any physical space anywhere. All our services and data are in the cloud.
As such, our approach to PCI DSS and SOC 2 compliance has been different from traditional financial institutions.
How we approach PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a set of specific security standards that were established in 2006 by the Payment Card Industry Security Standards Council (PCI SSC), an independent body created by the major payment card brands (Visa, MasterCard, American Express, Discover, and JCB.).
The security standards were designed to ensure companies that accept, process, store, or transmit credit card information maintain a secure environment and focus on improving payment account security throughout the transaction process.
Synctera completed the PCI DSS Self-Assessment Questionnaire D (SAQ D) which is the most comprehensive of the PCI DSS SAQs and encompasses the full set of over 200 requirements covering the entirety of the PCI DSS. It covers our card integrations, how we handle cardholder data, what we do with the data, and it also audits our implementation, policies, procedures, and operating guides.
How Synctera complies with PCI DSS:
- The Synctera application is maintained in a segmented serverless environment.
- Through an API integration, cardholders connect to an information system protected by firewalls, intrusion detection systems, and other security monitoring tools and processes.
- Secure protocols such as Transport Layer Security (TLS) and HTTPS facilitate client connections to their data.
- When stored, primary account numbers (PAN) are rendered unreadable through AES-256 encryption.
- Endpoint protection and scanning are used to verify IP integrity.
- Access to cardholder data in databases is strictly limited and regulated through the use of role-based access control.
Compliance with PCI DSS is reviewed annually at a minimum. It is also reviewed any time we have a material change to our architecture (e.g. adding another partner integration triggers a compliance review).
How we approach SOC 2
Unlike PCI DSS, which has more specific requirements, SOC 2 is unique to each organization. System and Organization Control (SOC) frameworks were developed by the American Institute of CPAs (AICPA). SOC 2 defines information security criteria for technology companies that manage customer data. It is based on five trust service principles: security, availability, processing integrity, confidentiality, and privacy.
How Synctera complies with SOC 2: Synctera designed its own systems, processes, and controls keeping the relevant trust service principles top of mind. These systems, processes, and controls are then audited by third-party auditors who assess the extent to which we comply with the principles.
Synctera achieved SOC 2 Type I which proved our systems, processes, and controls met the relevant trust principles during its initial audit. More importantly, we achieved SOC 2 Type II which proves the operational effectiveness of our systems over an extended period of time.
Going beyond compliance
Certifications and reviews are great if our only threat is our auditors. In reality, cybersecurity threats require us to go above and beyond the minimum compliance requirements.
While we maintain a security posture that considers the audit process layer, we also have specific technical controls like regular penetration tests and intrusion detection across all our surface areas that provide real validity checks on the ground.
One area that we’ve excelled at is system access controls; many new technology startups are really good at the technical aspects of security but fall over on controls and processes. Synctera has developed a way to make these controls and processes work for startups by:
- Simplifying security for our stakeholders
- Balancing employee experience with security
- Exceeding industry standards
Simplifying security for our stakeholders
As an intermediary layer between banks and FinTechs, Synctera can help simplify security for our partners. For example, our mature security posture means that certain things can be tokenized on the FinTech side. There's no reason for a FinTech to store a credit card number in their system because we store it in our vault where we have a token and they can use an identifier for it, so they don't need to carry the actual card number.
The same is true for social security numbers or any personal identifiable information (PII). This is a win-win for the FinTechs who don’t want the responsibility, risks, audits, or costs associated with storing this data.
Synctera has the certification to prove that this data is being stored properly so the bank and FinTech partners alike can trust us to be a secure third party between their communications.
Balancing employee experience with security
When it comes to establishing compliant security protocols, it is important to consider how these new rules affect how a company operates. For example, access control is a must-have, but it can be difficult to implement effectively without causing friction for employees working on the products. Said differently: if your company’s access controls and processes make life hell for software engineers, employee productivity and morale will suffer.
Our solution? At Synctera, we've taken identity management, added role-based access control, and combined it all with a zero-trust concept. This means our services don't care who you say you are in terms of your proximity on the network, nor what service you claim to be coming from. Our controls check two things: your ID and a token that indicates what you're allowed to do. Then they double-check it to ensure everything is encrypted properly.
In a typical scenario, identity management, role-based access controls, and a zero-trust services environment would make it pretty hard for engineers to do their job effectively. However, we’ve wrapped our services with an in-house developed tool, Synctera Command, to embed the identity and authorization concepts, and all the role-based and tenancy management, so that it doesn’t negatively affect an engineer’s experience.
Exceeding industry standards
Our stakeholders—the banks and FinTechs we support—are highly security conscious so we often get asked about our security processes during sales discussions. As eager as I am to talk at length about our security controls, how we've configured the vault, and how our application architecture works, most banks and FinTechs just want to know that we’re audited by third parties and have achieved and maintained our security standards. Third-party certification gives them confidence that we truly are secure.
However, if all you are thinking about when it comes to security is certifications and reviews, you may miss the bigger picture: the ever-evolving cybersecurity threat landscape. Synctera goes far beyond the expectations of our auditors as we are laser-focused on keeping the bad actors out.
Some of the things we're doing are leading-edge. Auditors and other banking industry insiders have been really impressed with Synctera’s progress on information security and compliance to date—and with the velocity of our security processes. We try to take a pragmatic approach, creating new security solutions that can be quickly embedded into a tech stack when it makes sense, and always optimizing for the most secure outcome balanced against usability.
We intend to continue leading the way when it comes to FinTech security so our partners and their customers are completely secure when they are interacting with us.
To get a better understanding of how Synctera fits into a banking tech stack, check out how Coastal Community Bank partnered with us to streamline compliance and regulatory processes