ISO 27001 Certification for a Payment Service Provider

The PSP processed electronic payments for 400+ merchants — handling card-not-present transactions, mobile wallet integrations, and direct bank transfers. With 120+ employees across 4 offices, they operated a complex IT environment: AWS-hosted payment gateway, on-premises settlement systems, a mobile SDK used by merchant apps, and integrations with 6 acquiring banks.

The National Bank had introduced mandatory information security management requirements for all licensed payment institutions, with ISO 27001 as the accepted benchmark. Several large enterprise merchants had also started requiring ISO 27001 as a condition for contract renewal. The company had 8 months before the regulatory deadline.

Their existing security posture was ad-hoc — a firewall, endpoint antivirus, and an IT team that handled security reactively. No documented policies, no risk register, no formal incident response process, and no centralized asset inventory.

We provided end-to-end ISO 27001 implementation consulting, with a senior consultant embedded part-time as the project lead working with their CTO and newly appointed Information Security Officer:

• 1. Scoping & Gap Analysis (Weeks 1-3) — Defined the ISMS scope covering all payment processing operations, conducted a gap assessment against ISO 27001:2022 Annex A controls, and identified 73 gaps requiring remediation. Prioritized findings by risk and regulatory impact.
• 2. Risk Assessment & Treatment (Weeks 3-6) — Established the risk management methodology using a quantitative approach tailored to payment industry threats. Identified 45 risks, produced risk treatment plans, and defined the Statement of Applicability covering all 93 Annex A controls.
• 3. Documentation & Policy Framework (Weeks 4-10) — Developed 28 policies and 20 procedures covering information security governance, access control, cryptography, physical security, supplier management, business continuity, and incident management. All documents were practical and aligned with how the company actually operated.
• 4. Technical Controls Implementation (Weeks 6-18) — Deployed SIEM for centralized log monitoring, implemented privileged access management, established vulnerability management with regular scanning and patching cadence, configured DLP controls for cardholder and personal data, and set up encrypted backup and disaster recovery testing.
• 5. Training, Internal Audit & Certification (Weeks 18-24) — Conducted security awareness training for all 120+ employees, performed a full internal audit, addressed 8 minor findings, and supported the Stage 1 and Stage 2 certification audits with the external certification body.

The distributed workforce was the primary challenge. With 4 offices and a growing remote team, physical security controls, asset management, and access control needed to work consistently across all locations. We implemented a cloud-first approach to security tooling — centralized MDM for laptops, identity provider with SSO and MFA for all systems, and a unified asset inventory that auto-discovered devices across all networks.

Supplier management was complex. The PSP depended on 6 acquiring banks, 3 card scheme processors, and 12+ technology vendors. We established a supplier risk assessment framework with tiered due diligence — critical suppliers (acquiring banks, cloud providers) received full security questionnaires, while lower-risk vendors were assessed through contractual controls and periodic review.

Business continuity planning required careful coordination with acquiring banks. We designed and tested failover procedures for the payment gateway, established RPO/RTO targets aligned with card network requirements, and conducted a tabletop exercise simulating a ransomware scenario that tested both technical recovery and communication procedures.

The company achieved ISO 27001:2022 certification in 6 months — 2 months ahead of the regulatory deadline — with zero major nonconformities. The Stage 2 auditor specifically commended the risk assessment methodology and the practical, well-integrated nature of the ISMS.

The certification directly enabled 3 enterprise merchant contract renewals that had been at risk and opened negotiations with 2 new acquiring bank partners who required ISO 27001 as a minimum. The company's Information Security Officer now manages the ISMS independently using the frameworks and tooling we established, with our team providing quarterly advisory support.