Cybersecurity: What to Look for When Outsourcing Transactional Documents Management

Keeping sensitive data safe is a growing priority in every industry, and is particularly important for businesses entrusted with large amounts of sensitive customer information.

( Bank of the West vault in downtown Los Altos, Calif. Photo credit: John McGehjee.)

Many insurance organizations, financial institutions, utilities, healthcare providers and other organizations that handle high volumes of private information have chosen to outsource their electronic document processing, billing and distribution solutions to a third-party provider.

The goal when outsourcing document processing is improved efficiencies. But recent large scale data breaches at high profile retailers, financial firms and other data driven organizations have focused heightened attention on the topic of data security. Keeping sensitive data safe is a growing priority in every industry, and is particularly important for businesses entrusted with large amounts of sensitive customer information.

In light of these security risks, how can you be certain that a third-party service provider is practicing operational excellence and ensuring security? Here are some things to consider.

Look for compliance with leading security standards

Any provider of print and electronic billing solutions should follow the industry standards that are essential for security compliance. The top three standards relevant to processing financial data are:

  • SSAE 16
  • PCI DSS 2.0
  • Sarbanes-Oxley (SOX)

It is important for third-party providers to demonstrate that they have adequate controls and safeguards when they process information and data belonging to customers. The following is a description of each of the important standards listed above:

  • SSAE 16 (Statement on Standards for Attestation Engagements No. 16) Attestation – SSAE 16 is a standard set by the American Institute of Certified Public Accountants (AICPA) and helps to ensure that the handling of all outsourced documents is in a secure, reliable and stable environment with tight process controls in place. Being SSAE 16 compliant offers reliable evidence of the following:

 ο   The service provider’s management has made a written assertion that provides a fairly presented description of the services provided by the service organization, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization’s core activities that are relevant to its customers

ο   The control objectives were suitably designed (SSAE 16 Type 1) and operated effectively (SSAE 16 Type 2) during the dates/periods covered by the attestation

ο   The criteria used for making the assertions were in place (Type 1) and were consistently applied (Type 2)

A statement and billing output provider that provides an SSAE 16 assessment to its customers demonstrates that it is maintaining internal control over the data and systems it manages for them.

  • PCI DSS (Payment Card Industry Data Security Standard) Compliant – The PCI DSS is a globally instituted security standard for all merchants and service providers who accept credit card information. It is designed to keep customer payment card data secure and prevent payment cardholder data fraud.

Working with a provider that is PCI DSS compliant ensures that customer payment data is secured at the highest level and can eliminate the need for your organization to undertake the costly and time-consuming process of obtaining PCI DSS compliance itself.

  • Sarbanes-Oxley (SOX) – Any organization fully trained in SOX regulations ensures that its clients are compliant with all corporate accounting controls required by U.S. federal law.

Take security measures beyond the standards

Not all security precautions are enshrined in legislation or can be officially certified. At a minimum, as a high-volume biller, you should make sure that they—and the service provider they choose—have stringent internal security measures in place to protect customer data. Check on whether their production areas are locked and monitored at all times. Make sure all FTP servers are protected by a well-rated hardware firewall to eliminate unwanted intrusions. Additionally, all electronic payment options need to be encrypted and performed over a secure SSL internet connection.

Many of today’s electronic billing solution providers offer a number of additional security features including biller authentication and non-repudiation of bills. These measures help assure customers that their confidential information remains intact.

Finally, it is imperative that the company you choose to handle your sensitive information has a comprehensive disaster recovery program in place to safeguard against fire and other natural and environmental hazards.

Then stay vigilant

Protecting and ensuring security compliance and due diligence is a never-ending process. To avoid potential fines, loss of customers, bad publicity and legal action, make sure you have covered all your security bases and that all facets of your program are well executed and monitored by an independent third-party auditor who knows what to look for and can make useful suggestions for improvement.

Harry Stephens // Harry Stephens is President/CEO and founder of DATAMATX, one of the nation’s largest, privately held full-service providers of printed and electronic billing solutions. As an advocate for business mailers across the country, Stephens is actively involved in several postal trade associations. He serves on the executive board of the Greater Atlanta Postal Customer Council, Major Mailers Association (MMA), PCC Advisory Committee (PCCAC), and the Board of the National Postal Policy Council (NPPC). He is a board member of The Imaging Network Group (INg), an association for Transactional and Direct Mail Marketing service bureaus. As an expert on high-volume print and mail, he has frequently been asked to speak to various USPS groups. You can contact Harry Stephens at  

Comments (2)

  1. Insurers need to ask themselves whether the provider has a world class capability in security. It is not enough to simply be proficient as many providers view security as a cost to be minimized. Compare their CISO and security professionals to that of best in breed technology providers and see what this uncovers.

Leave a Comment