Payment security is not very exciting. Our product team can probably tell you that, because they spend a lot of time working on it. So why do they bother?
Well, when it comes to security in our school payments products (SchoolMoney and WisePay), we take our work extremely seriously. Schools and parents are trusting us every day to handle their money and their personal data, and we don’t take that lightly.
We spoke to Phil Tweddle, Senior Product Owner at VenturEd Solutions UK, about the ongoing security work he oversees on both SchoolMoney and WisePay.
“We need to safeguard our schools and parents from the start of their payment journey right through to the end, with the highest possible standards at all levels. We take this incredibly seriously because, at the end of the day, it’s people’s money.”
Why does compliance matter to us?
One of our top security concerns is maintaining our Level 1 PCI compliance. We’ve invested a significant amount of development time to achieve this high standard, but what does that mean to our customers?
“We go through the criteria line-by-line so that you don’t have to, as a customer,” Phil explains. “There is no grey area with PCI compliance, you either meet the criteria or you don’t. We have the certification to prove that we’ve met all of those requirements, because we want people to feel safe knowing that their details are protected.”
What data are we actually talking about?
Our role in the payment journey determines what security measures we have to have in place. SchoolMoney and WisePay are connected to payment gateways, and we work closely with these third parties to keep everything up-to-date.
An important note here is that we do not store certain sensitive details, such as your PAN (better known as the “long card number”). This stays with the payment gateway, anonymised and encrypted so nobody can access it. Our ongoing security work helps ensure that each part of this chain, from the school to the end user, is completely protected.
The never-ending review process
“Bad actors” are getting cleverer all the time, so security requirements are constantly evolving and becoming stricter. To stay ahead, we proactively review our security measures all the time. Scans, independent auditing and penetration testing are all part of our regular testing routine.
This means we spend a lot of time working behind-the-scenes on things you’ll never see, like encryption methods, APIs and infrastructure changes. Some updates are more visible, like changes to password policies that might require you to update your password. Either way, it’s all worthwhile to protect you and your data.
“We understand that we need to make room for this work,” says Phil. “We’re always working on new features and other improvements, but nothing is more important than security.”
Making payment security less stressful (and less boring)
The point we’re making here is that security matters, and everyone involved in the process has a role to play. But that doesn’t mean schools or parents should be spending their time worrying about the safety of their funds or their private data.
“We’re seeing a lot more awareness among our customers of PCI compliance, and getting more questions about it,” Phil adds. “Even if the individual changes we’re making aren’t that exciting to talk about, we’re really committed to making sure people are looked after.”
In the end, security isn’t something you should have to worry about – that’s our job. We want every parent and school administrator to have peace of mind when using our payments solutions. Security might be “boring”, but we’re proud to make it a priority.