Despite an increased awareness and focus in data security across the financial services sector, the cost of data breaches continues to rise. IBM’s 2024 survey found that the average cost of a data breach in Financial Services had increased to >US$6m. Alarmingly, almost half (46%) of breaches involved sensitive personal consumer data, including financial information and contact details (e.g. ID numbers, emails, phone numbers and home addresses). Beyond the financial impact for resolving the breach and the relevant consumer distress, data breaches also bring:

Reputational damage for the relevant financial institution (e.g. loss of consumer trust, brand erosion etc.)
Operational interruptions as executives and their teams work to identify and remedy the breaches, and
Exposure to regulatory consequences including increased scrutiny of policies and operational controls as well as regulatory fines (e.g. Caixabank was fined €5m in 2024 for GDPR breaches)

Regulatory fines are not just confined to operations at the relevant regulated entity. In 2023, Equifax was fined >GBP11m for failing to manage and monitor the security of UK consumer data that it has outsourced to its parent company in the US. This underscores the critical importance of robust data security measures in financial services and the importance of security for any supplier of data services to the sector.

What are the principal data security standards for providers in the Financial Services sector?

Companies that provide Reporting & Data Processing services to the Financial Services industry, such as Cambrist, typically implement either PCI DSS Level 1 or ISO 27001 certification. These standards are designed to ensure that suppliers to the industry have implemented appropriate data security controls. In addition, they provide a key proof point for Fintechs, Banks & Payments businesses that their partners have a secure environment and have certified their capabilities in this space.

Yet, despite a number of similarities, PCI and ISO standards have a number of key differences. First and foremost, PCI DSS is designed specifically for organization that process, store, or transmit payment card transactions. This means that PCI compliance is generally considered mandatory for any business which must protect cardholder data, including card numbers, CVV codes, and expiration dates, and it involves highly prescriptive requirements with strict compliance deadlines. Furthermore, companies that achieve PCI Level 1 compliance have demonstrated that their data processing & storage environment is able to receive and manage all of the data contained in raw, unfiltered payment data files which may be exchanged between partners.

In contrast, ISO 27001 is less specific to the payment card industry and is applicable to any organization that seeks to protect various types of sensitive information. Also, ISO 27001 is less prescriptive than PCI, given that it takes a risk-based approach to defining security standards, thereby allowing organizations to tailor controls to their specific needs and risk profile.

Why did Cambrist choose PCI DCC Level 1 compliance and what does that mean for our Customers?

Cambrist has been built specifically for the card payments industry. Our deep knowledge of Issuing & Acquiring datasets separates us from other data and reconciliation solutions and means that we are built to receive raw payments data files (clearing) from both schemes and processors. Therefore, to ensure the sanctity and security of both the Cambrist platform and the security & compliance domains of our partners, we have achieved and maintained PCI DSS level 1 since Day 1 of our operations.

In fact. maintaining our PCI certification acts to protect our customer’s own PCI certification. PCI mandates that all third parties which participate in the transfer and exchange of cardholder data maintain their own PCI certification. In effect, each party’s certification creates a “security zone” to minimize weak links in the service chain.

Why use Cambrist to automate your management of Clearing, Settlement & Invoice data?

Cambrist is one of a few data management companies that specialize in Issuing and Acquiring datasets. Our data platform has seamless data sharing via either API or SFTP and offers powerful features and flexibility to simplify the management of your payments data.

The platform extracts key information from the relevant files and provides our customers with immediate access to itemized datasets, allocated as per our customer’s pre-defined criteria and groupings. This is available via our online, interactive dashboard and via machine readable reports as required, enabling our customers to:

Run Payments Operations/Treasury activities to meet Scheme Settlement Obligations and Timelines
Invoice card programs faster for settlement funds / service fees
Reduce manual errors in performing the above tasks
Reduce costs in managing transaction data

For more information, visit www.cambrist.com. Cambrist is an award-winning technology company enabling payment card issuers & processors to simplify and manage payments data within their card programmes. Our platform enables Finance, Operations and Product teams in Banks and Fintechs to gain more insight from their payment card programme data and create new, reliable sources of income. Our services automate reconciliation and reporting processes, provide better management insights (MIS), ensure compliance with payment regulations and optimize card scheme settlement.

Data Security and the Role of PCI Certification