Back

FinTech leader conducts faster, easier access reviews for PCI DSS and ISO 27001

Industry

Financial Services

Headquarters

Santa Clara, CA

Veza at PayNearMe

Benefits

  • Faster and accurate data security reviews
  • Understand and manage authorization to critical data stores within AWS

Challenges

  • Keeping track of evolving data access permissions and IAM policies in AWS
  • Time-consuming, manual and error-prone reviews in prep for compliance audits

Key Features

  • Authorization Graph
  • Rules and Alerts
  • Insights
  • User Access Reviews
  • Privileged Access Reviews
  • Cloud Entitlement Reviews

Leveraging Elevated Observability of Access Permissions to Quickly Identify Policy Violations

PayNearMe enables customers to make real-time payments to more than 27,000 businesses, utilities, and municipalities nationwide. The payment experience network processes billions of dollars annually through a variety of payment channels, including credit and debit cards, ACH, cash, online portals, and mobile wallets. At its launch, the company processed payments through servers housed in co-located server farms. In 2009, as the cloud became more reliable, secure, and widely adopted, it migrated to AWS. “We’ve been working on a cloud-native approach since then, and Veza has really helped us take advantage of cloud architecture in a safe manner,” says Sean Todd, PayNearMe’s CISO.

PayNearMe strives to use the most secure and reliable technologies to tackle the biggest challenges in payments, one of which is securing the massive amounts of sensitive data it processes for bill-payers and the recipients of their payments. “Data is critical to our business,” says Todd. “We take the trust that merchants put in us very seriously when they give us their data, so security is a top priority.”

Stringent security and compliance requirements

As a regulated money transmitter and PCI DSS (Payment Card Industry
Data Security Standard) certified company, PayNearMe needs to follow strict regulations and ISO 27001 standards regarding the segregation and protection of resources. In addition, some of their larger clients impose proprietary security requirements. All of which requires lots of audits and access reviews.

As a payments company we need to audit our data asset inventories and access activities, both quarterly and annually. Veza lets us do it in a very timely and accurate manner.

Scott “Ziggy” Brode || Data Security Engineer, PayNearMe

Elevating observability

PayNearMe’s first objective was to get a handle on data security within AWS and streamline the access review processes. The key to controlling and protecting sensitive data is to have observability over data resources and access to them, including their associated permissions, all of which was lacking prior to PayNearMe’s engagement with Veza.

The painstaking process was time-consuming, expensive, and error prone.

We couldn’t keep up with review cycles, and couldn’t be sure who should have access to what resources at any given time. Veza allows us to do a review in real-time, so if access to critical resources changes, we’re able to respond much faster than before.

Sean Todd || CISO, PayNearMe

Key Integrations

Policy violation insights mean faster, more accurate security reviews and audits

PayNearMe is using Veza to verify and enforce the principle of least privilege access within its AWS infrastructure. Instead of having to look at each IAM setting to understand specific permissions, Veza’s resource-centric reviews enable the company to globally monitor who has authorized access to critical data sources and how they can interact with them, all through a single pane of glass. “Veza’s connected graph visualization gives us a clear view of how a user might be accessing a resource. We can pinpoint and fix problems to remove any instances of inappropriate permissions,” observes Todd.

Brode notes that his team can now conduct data security reviews and audits quickly, more accurately, and with less need for human intervention. That’s because Veza provides pre-configured assessment templates that address entitlements, privileged access, misconfigurations, and other areas that might impact data security. By enabling his team to certify that the necessary controls are in place for their data stores, using Veza has led to a vast improvement in PayNearMe’s compliance efforts.

Data access reviews that used to take upwards of a week can now be done within minutes, which means we can do them much more frequently.

Scott “Ziggy” Brode || Data Security Engineer, PayNearMe

What’s next?

“Veza helped us roll out the implementation, which only took just a day or so. Since then they’ve worked closely with us to ensure that our use cases are taken into account,” says Todd. Next up, the company is looking forward to using Veza as it expands its dynamic AWS infrastructure. Plans include adding a container-based architecture that will vastly increase the number of resources in its infrastructure. In the next phase, Brode and Todd are also looking to integrate Veza into the internal processes of its entire federated IAM environment to ensure that the insights Veza delivers are acted upon in order to keep the company always in compliance. “I sleep better knowing there’s an automated tool watching our systems. If one of our engineers makes a change in the middle of the night, I know I’ll have an alert waiting for me in the morning,” said Todd.

About PayNearMe
PayNearMe is the industry’s only platform that facilitates cash, debit, credit, ACH and mobile-first payments, including Apple Pay and Google Pay, for thousands of businesses and government agencies nationwide. With its great mobile experience, PayNearMe’s technology provides a simple way for businesses to collect payments through an intuitive, consistent experience for their customers. In addition, payment reminders and mobile wallet integration drive more on-time payments.