Opening up your operation to APIs isn’t just limited to those involved in open banking or PSD2. Using APIs is an excellent way of delivering a seamless customer experience for any organization that needs to work with multiple partners. And in today’s ecosystem-driven economy, that has never been more important.
But just how do you make sure you open your business and data up to trustworthy partners? What levels of security should you expect? This can be a challenge because the decision to use APIs with certain partners is often not driven by the CIO or CTO, rather it is a product or business growth decision. The people making these choices may be customer experience, or payments or fulfilment experts, not tech security professionals.
Working together internally
The first port of call is to create an internal working group made up of all the people involved in making API-partner decisions. This should include customer-focused executives such as marketing or customer experience; finance executives such as the CFO; data executives, in particular, compliance officers and finally but crucially, chief technologists in the organization.
This group needs to set out the goals the company expects to be met by APIs. There needs to be a framework outlining the challenges the company is likely to encounter (such as managing data compliance, above) and the standards the company expects partners to adhere to.
Markers of secure providers
The world of APIs, financial security online and data governance is constantly evolving and regulation is having to evolve with it. There are new standards appearing regularly and it can make it difficult for non-tech-based organizations to understand what reflects a ‘gold standard’ that will keep data and transactions safe both today and in the near future.
One of the starting points is cloud technology. Some have expressed nervousness about hosting sensitive information with an external provider. However, the fact is that cloud providers’ bread and butter is to create secure technology. Compare this to a non-technology company trying to build and manage its own resource in-house, you can already see that the advantage of expertise lies with the cloud.
A tsunami of standards acronyms
The raft of legislation surrounding web services, financial information and data handling creates a shopping list made up of strings of letters, numbers and backslashes that can prove, frankly, baffling. Currencycloud adheres to:
- ISO/IEC 27001:2013
- ISO 27001 Information Security Management Controls
- ISO 27018 Personal Data Protection
- PCI-DSS Level 1 Payment Card Standards
- SSAE16/SOC 1, SOC2 and SOC 3
- FIPS United States Government Security Standards
And that’s just for starters. We operate from the Amazon Web Services (AWS) which itself runs under a host of compliance programmes and data centre controls.
Finding the right path
The best way to understand if your API partner offers the levels of security your organization is comfortable with is to look at your own compliance standards and compare. Where do they match – or preferably exceed – your own standards? Do they host their own services on tried and tested platforms?
No system is bullet-proof but confidence is gained from partners who operate to the highest standards available, with the utmost transparency and for whom compliance is the starting point rather than a benchmark for excellence.