Is security a priority for your payment processor?

Barbara Cousins
Barbara Cousins
is the Chief Information Security Officer at Flywire.

Keeping your organization safe while protecting your customers is critical to your success. Security may even be your primary business concern, so it’s important to find out if your payment processor takes it as seriously as you do.

Payment processors can attain a number of certifications and reports to demonstrate their commitment to security—and they should be proud to share these with partners and clients to prove their on-going obligation to keep your information safe. At minimum, I recommend asking your provider if they comply with the following regulatory standards:

SOC II Type 2

SOC II Type 2 (or SOC 2) evaluates the operational procedures and technical controls within a service organization that accesses, stores, and processes customer data. The assessment is based on strict information security policies and procedures that measure the organization’s ability to properly manage and protect the security, availability, processing, integrity, and confidentiality of customer data.

To be SOC-compliant, organizations must be audited by an independent certified public accountant who determines that the appropriate SOC safeguards and procedures are in place. Flywire’s SOC 2 reviews are conducted each year by an external third-party, so our clients can be confident that our best-in-class safeguards and procedures are in place and operating effectively.


For companies that accept, process, store, or transmit credit card information, the industry standard for assessing security controls is PCI DSS. In fact, PCI DSS is short for Payment Card Industry Data Security Standard. This certification was specifically designed to reduce credit card fraud by ensuring secure environments and increasing the controls around cardholder data.

At Flywire, we pride ourselves on maintaining a secure network to protect payers’ data against misuse of their personal information. Our PCI DSS review is conducted annually by a third-party auditor, so our clients have the peace of mind of knowing that our card transaction processing system is secure and optimizing regularly.

EU–US Privacy Shield

EU–US Privacy Shield (commonly referred to as just Privacy Shield) is a framework designed to ensure that US-based companies adhere to the rules of the European Privacy Act when they do business with European entities. Specifically, the General Data Protection Regulation (GDPR) provides stipulations on how personal data can be exchanged for commercial purposes between the European Union and the United States.

The US Department of Commerce reviews Privacy Shield compliance for US-based companies, including Flywire. As a compliant organization, Flywire is able to seamlessly receive personal data from EU entities in a way that satisfies privacy laws that protect European Union citizens.

When you know where your provider stands on these regulatory standards, you can better understand how secure your own organization is. Avoid putting your business at risk by working with a payment processor whose top priority is to provide reliable, compliant systems and services.