Ensuring Premium Payment Security: A Q & A with Flywire CTO David King

As Flywire continues to make inroads in the global insurance market – one of its strongest value propositions for global insurers is the extremely high level of payment security its platform and infrastructure provide. In this interview, we talk to Flywire CTO David King, a payment security pioneer and permanent influencer, on what global insurers need to be mindful of in payment security for 2024.

Tell us about Flywire and yourself:

I like to say I’m a CTO and a serial entrepreneur with a passion for the intersection of business and technology. I came to Flywire in 2018 with our purchase of OnPlan, where we built technology to advance affordability in higher education and healthcare. I have a deep background in payments security. I architected the first SaaS tuition billing system in the US and helped champion PCI compliance in the early days in 2004.

Flywire is a global, publicly traded payments provider that specializes in cross-border and complex domestic payment flows. At Flywire, we’ve long recognized that compliance is a huge part of innovation. Even though work toward building the types of mechanisms and controls into our platform and within our own company doesn’t always make headlines, we care much more that it’s the type of real innovation that keeps your business out of them – and protects your customers.

Global medical insurers face a growing threat from data breaches. What makes it such an attractive target for bad actors?

The healthcare market has what I often refer to as the “dirtiest” of all data. This includes personally identifiable information (PII), such as name, address, and date of birth, to name a few, protected health information (PHI), which is procedure-related information, and finally, financial information from the policyholder. In short, healthcare has all the data that a hacker would love to get their hands on— it is a “target rich” environment.

What steps can insurers take to reduce the scope of risk?

It is the coupling of the PII/PHI and financial data that makes these environments ripe for attack. The best thing that insurers can do is to take steps to reduce the amount of “toxic” data stored – and thereby reduce the scope of compliance. You’ll need to store PII/PHI, but you should move all financial-related data to a payment service provider. If you distribute this data, it makes it harder for the attacker to get a full financial profile to exploit on the dark web.

What is the business impact for a global medical insurer of a data breach?

Customer attrition is a real issue for global medical insurers– and it’s the loss of customer trust that comes with an incident that poses a big risk. Ensuring a safe and secure payment environment is a real impactful way to drive customer retention. One of the benefits we have at Flywire is being able to look across several different industries for insights on customer loyalty and what’s important to the people behind the payments. For instance, for 70% of luxury travelers, security in paying for a trip is a major concern – and we know they factor in the security of their payments to their choices.

There are significant changes coming to compliance in the form of card security this year. Can you talk about that?

Yes, there are major changes coming to PCI compliance in 2024 – the global standard that ensures a level of protection for cardholder data managed by merchants and service providers. The first version of the Payment Card Industry Data Security Standard (PCI DSS) came out in December 2004 – when industry leaders realized that it would be beneficial to have a single comprehensive standard – and nearly 20 years later, we have a significant update coming out to keep up with the sophistication of the threat landscape.

PCI v4 comes with major changes and raises the bar for compliance on behalf of global insurers in a real way. I detail these changes in depth here, but at a high level, it introduces several new requirements focused on increased security awareness, segmentation validation, remote access, incident response, and risk assessment.

Can you talk about how Flywire leads this standard?

Flywire, specifically myself and our CISO Barbara Cousins, is part of a small group of global companies that recommend, review, and provide guidance and input to emerging standards. This not only allows Flywire to impact payment security, but provides us early insight to the emerging standard so we can begin implementing the new security protocols ahead of time.

Can you give a simple checklist of steps global insurers can take to reduce risk when it comes to payment security?

First, take the time to understand the high bar that your vendors will be subject to when it comes to ensuring compliance with PCI v4, and ensure they meet it.

Related to PCI, consider how you will remain compliant/achieve compliance with regulations like PSD2 SCA without significantly impacting your customer experience.

Also, map your premium payment process. Is the process digitized end-to-end? Do you still accept checks? Where is there paper floating around? Is there a part of the process where payments are being taken over the phone? Remember, PCI compliance covers all pathways to payment. As long as the carrier or broker accepts a single credit card payment over the phone, in person, or online, it is responsible for protecting that information and maintaining compliance with network security standards.

What are mistakes insurers may make in ensuring PCI compliance?

Broadly speaking, do not pay too much to be in compliance, ignore the issue entirely or obey the letter of the law without following its spirit. The last way listed is known as “living for the audit.” Many companies treat PCI compliance as a point-in-time event to pass the audit. Security and PCI should be lived every day.

This is not only a best practice to ensure you remain secure, but it also helps organizations avoid the last minute push to fix all of the security issues that lapsed from their last audit. The goal should be to take advantage of the most effective and most sophisticated forms of defense against data loss.

Also, remember that compliance doesn’t equal cybersecurity. While the steps to compliance will automatically build in security, compliance isn’t a direct substitute for cybersecurity practices. Ensuring that your organization is HIPAA compliant or PCI compliant does not mean that you’ve eliminated risk from your environment, only that you won’t be subject to additional fines.

The only way to maintain an environment that is risk-free is to take the steps to ensure that sensitive financial data never touches your network in the first place.

What other “acronyms” can insurers be on the lookout for to ensure their partner is up-to-date with the highest level of security standards?

PCI gets a lot of play, but there are other acronyms that you’ll want to look out for. For instance, SOC 2 Type II outlines the internal controls in place for a company that runs software in the cloud and indicates how strong they are in terms of protecting customer data. Flywire as a company regularly undergoes the highest levels of security and compliance testing, including SOC 2 Type II. Specifics on how data is encrypted will become more important as the cost and risk of a data breach continues to rise. We often get questions about how we use Advanced Encryption Standards (AES). This is the encryption standard selected by the National Institute of Standards and Technology (NIST) for securing sensitive unclassified information, with an algorithm that encrypts 128-bit blocks of information using 128-, 192-, or 256-bit long cryptographic keys.

One more to know is Nacha. Flywire is an affiliate member of the body that oversees ACH and which plays a critical and massive role in the U.S. by providing a secure and efficient electronic bank transfer process. ACH is the fastest growing payment method in the U.S. for both receiving and sending payments.

What should they look for in a payment provider?

Address security and compliance issues up front when selecting payment processing services. Insurers must ask the following questions:

• Where are we entering policyholder card data?
• Are we using P2PE for our policyholder card data transactions? If so, is our P2PE solution PCI-validated?
• Are our CSRs keying policyholder card data into a third-party web service? Can that web service be integrated with a PCI-validated P2PE provider?
• How do we implement our eCommerce payments? Does this method protect our policyholder card data?

Is there anything else you’d add about Flywire that makes you uniquely positioned to solve the toughest payment problems for global insurance carriers?

We provide global support for our customers and their customers around-the-clock and in their local languages. Flywire truly embraces the power of our FlyMates’ cultural differences and perspectives to create financial solutions. We have more than 1,200 employees and a number of global offices across the world who represent more than 40 nationalities and speak 35 different languages. Global diversity is a must-have to solve global challenges.