Payvision asked Quint for help in gaining more control using the COBIT framework as a basis.
“You want to be compliant and manage risks but you don’t want to hinder anyone from doing their work properly. That is the real challenge.”
Matthias Jager, Process & Portfolio Manager
Payvision was established in Amsterdam in 2002. Every year, the company processes more than 100 million payment transactions. It processes transaction data and forms the link between a web shop’s bank, the customer’s bank and the credit card company. Payvision offers access to a network of licenses that makes it possible for a bank that subscribes to its services to make use of these licenses all over the world. The company is active in over 40 countries with offices in New York, Utah, Madrid, London, Singapore, Hong Kong, Macau, and Amsterdam. Recently, Payvision has been working hard on governance and control using the COBIT framework. We spoke about this with Matthias Jager, Process & Portfolio Manager at Payvision.
Matthias Jager has been working at Payvision since 2015. Soon after he arrived at the company, the decision was made to start working on the maturity level of the IT processes. “Over the past years, we have taken on a lot more IT staff,” Matthias Jager explains. “In addition, we are focusing strongly on product development based on agile collaboration which revolves around the Payvision Agile Framework.” Payvision’s IT can be described as multi-speed: “All matters that have to do with customer data have a different development speed because you have to deal with more checks and balances than is the case for less sensitive matters.” Payvision’s developers work in Madrid, while operations, security and risk management are based at its headquarters in Amsterdam. Despite this distance, the two groups work closely together in DevOps teams, the number of which is steadily growing at Payvision.
Christopher Martlew, CTO at Payvision, wanted to have more control of the company’s IT processes and information security and he therefore initiated the COBIT program. Quint Wellington Redwood was called on to help with the implementation. Together with Payvision, Quint’s first step was to draw up an inventory. Matthias Jager: “We requested a baseline measurement. We wanted to know exactly where we were, without spending too much time examining the starting point.” A large number of procedures and policies had already been implemented but cohesion was sometimes lacking”. Moreover, as a payment processor, Payvision had in the past focused strongly on PCI compliance. The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards created jointly by several major credit card companies. It is designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. PCI and COBIT overlap in part, so it was important to avoid duplicating work.
Matthias Jager continues: “On that basis, we started working on making monthly progress. Of course, we first harvested the low-hanging fruit.” This way of working made progress clearly visible for all stakeholders which helped keep people motivated. The approach adopted by Payvision and Quint suited Payvision well: working in sprints and determining every quarter, and subsequently every month, what controls needed to be addressed. A kanban board provided a good visual overview of the tasks of each team member and the progress they had made. In all this, Matthias Jager was the force linking the teams to one another and to the management.
Quint was responsible for transferring knowledge and later for providing coaching. Matthias Jager: “The organization needed to take on the responsibility for implementing the COBIT program and I can also see that it’s now slowly becoming embedded.” Self-tests and control plans helped us to gain and maintain control. In this regard, Quint’s consultants regularly met with the control owners, looked at where they were and if the processes were still in line with the tests. In this way, they helped the owners move forward. Matthias Jager: “It started out like a cutting that at first didn’t appear to have taken, but later began to grow fast. If you look at where we are today compared to last year, there’s a world of difference. We now have an Information Security Steering Committee that includes two board members. This means that the COBIT controls are managed centrally and they are discussed regularly. And that also has an impact within the organization because people can see that the subject is being taken seriously at the management level.”
Continuous improvement is an important aspect of COBIT and is also a priority item on Payvision’s agenda. Matthias Jager explains: “You want to be compliant but you don’t want to hinder anyone from doing their work properly. That’s why we tried to keep things ‘lightweight’ for people in their day-to-day activities. So, no filling out of lengthy forms but just placing a check mark whereby you, as the control owner, are accountable for what that check mark represents.” COBIT is therefore not a hindrance but instead slots perfectly into the DNA of Payvision as a company that sets great store by continuous improvement. Matthias Jager puts it like this: “It’s not efficient if you constantly develop new things but no one thinks about whether they are in line with the risk requirements. I believe that in practice they go hand in hand.”
According to Matthias Jager, Payvision has become much more future-proof thanks to the COBIT controls. “I expect that in the years ahead, even more attention will be paid to the processes we have already implemented. We have established something that is robust, something on which we can continue to build in the coming years. Our ambition is to become even more mature, including in the areas of IT risks and IT security.”
Matthias Jager is clear about the collaboration with Quint: “We needed help, we were lacking in knowledge and experience in certain areas. And Quint and Payvision are very similar in terms of culture. For assignments like this, you could choose a much larger service provider but would they be a good match? With Quint, there is also a match regarding approach: no nonsense and hands-on.” Payvision has therefore called on Quint for the period ahead. “We’ve laid the groundwork but there’s more to be done. We are now ready for the next level. Quint’s help is now also being requested from outside the IT organization. I believe we will be working together for quite some time to come.”
Designing, enhancing, and implementing a unified IT Governance, Risk & Compliance (GRC) approach generates efficiencies, provides a holistic view of your business technology environment, and ensures…More info
Your customers demand a quick and seamless digital experience, and they want it now. To meet this demand, it is not enough to digitalize your existing products and services by just adding more…More info
The emergence of new disruptive technologies influences how customers behave. It is imperative to be current and agile, yet aligned with the rapidly changing state of your industry. It is important…More info
COBIT® staat voor 'Control OBjectives for Information and related Technology' en is internationaal steeds meer erkend als de standaard voor controle en management over informatie en Informatie…More info
The governance of outsourcing is a high-priority agenda item for organizations. Service Integration and Management (SIAM) involves integrating the sub-services of all kinds of internally outsourced…More info
Based on the proven fundamentals within DSDM Atern, the More info