Secure Payment Processing for Government Agencies
Among credit card processing systems for government agencies, LexisNexis Payment Solutions maintains the gold standard in reliable and secure payment processing through all solutions to ensure the safety of customer data. As part of LexisNexis VitalChek Network, the Payment Solutions service is certified Level 1 PCI Compliant by the Payment Card Industry (PCI) Data Security Standard, which is supported by all of the major credit card companies: MasterCard, Visa, American Express and Discover and abides by their rules for the collection and processing of credit card information.
To ensure secure payment processing, LexisNexis Payment Solutions utilizes SSL services to encrypt (via 256 bit encryption utilizing https transmissions) all private information including credit card number, name, and e-mail address so that it cannot be read as the information travels over the Internet.
Payments originating from all payment channels are held in the Payment Solutions secure web based system. All data resides in databases in a secure environment, and all sensitive data is encrypted utilizing encryption algorithms within the databases and masked on display.
To maintain compliance, we undergo several internal and external security audits per year, including PCI Level 1 Certification, of which less than 1000 companies in the United States possess. All developers complete the required “Fundamentals of Development,” which is a PCI requirement.
As a PCI DSS Level 1 Service Provider since 2009, Payment Solutions possesses vast expertise in PCI DSS requirements, both in relation to Merchants and Service Providers. In addition to Technical Staff trained in PCI DSS technical requirements, we have senior staff members who are responsible for overall data and system security, including PCI-DSS requirements.
- All sensitive payment and cardholder personal data is stored and transmitted in an encrypted format, compliant with PCI and FTC standards
- All equipment provided for credit card processing systems for government agencies is PCI compliant
- Annual on-site audits are conducted at Payment Solutions by a qualified security assessor
- Contractual agreements with our compliance auditor require quarterly vulnerability scans to maintain certification
- LexisNexis on-going internal audits / monitoring of alerts / intrusion detection, etc.
- Payment Solutions follows Visa U.S.A. Payment Application Best Practices (PABP)
The requirements for the PABP are derived from the Payment Card Industry Data Security Standard (PCI DSS) and the PCI DSS Security Audit Procedures. These documents, which can be found at www.pcisecuritystandards.org, detail what is required to be PCI DSS compliant (and therefore what a payment application must support to facilitate an application user’s PCI DSS compliance) and should be used as a reference for the PCI DSS and supporting documentation.
Secure payment processing applications, when implemented in a PCI DSS-compliant environment, will minimize the potential for security breaches leading to compromises of full magnetic stripe data, card validation codes and values (CAV2, CID, CVC2, CVV2), PINs and PIN blocks, and the damaging fraud resulting from these breaches.
Payment Solutions Security Policies
LexisNexis Payment Solutions has a team of individuals dedicated to responding to any internal incident response. The Internal Computer Incident Response team (ICIRT) has outlined procedures in an effort to ensure that LexisNexis employees respond rapidly to computer security incidents. Some of the incidents tracked include network intrusion, malicious code attack, etc.
LexisNexis has strict policies, standards and guidelines in place throughout the organization that govern data access, protection, transport, restriction, retention, deletion, notification and classification.
LexisNexis monitors security threats from a wide range of sources on a daily basis. Each of these threats are assessed and categorized to the level of risk and effective mitigation already in place within the existing infrastructure. The LexisNexis standard is that computers and networks storing and processing Company information must be protected, at a minimum, with a set of baseline security controls to reduce the risk of unauthorized or unintentional breaches of security. Baseline controls are determined by review and adoption of commercially accepted standards in the field of information security, and by the application of the standard of due diligence in the area of computer, network, and information asset protection. Standard LexisNexis system security plans include coverage of how system and data integrity is monitored, sensitive data access controls and storage standards, issue tracking, training, and business continuity.
LexisNexis Security Policies
LexisNexis information security programs comply with industry-accepted technical, procedural, and security requirements and controls. The breadth and depth of LexisNexis practices encompass computer, communications, personnel, physical, procedural, and training considerations – including, but not limited to:
- A risk mitigation framework based on industry standards for information security (ISO 27002), privacy (AICPA/CICA), and proprietary customer credentialing criteria
- The use of administrative, physical, and technical safeguards as well as numerous internal controls to protect and prevent unauthorized access to sensitive information
- Strict policies, standards and guidelines in place throughout LexisNexis that govern data access, protection, transport, restriction, retention, deletion, and classification
- Annual vulnerability and penetration assessments/tests and audits by independent third parties to validate the effectiveness of LexisNexis security controls
- An Information Assurance and Data Protection Organization (IADPO) that continually evaluates LexisNexis policies and procedures with regard to customer credentialing and the internal controls governing our information security program
- Annual security and privacy training for all LexisNexis employees