The Importance of Security in Remittance Processing

As the President of Merkle Response Management Group, I lead the many facets of our business – from client satisfaction, product enhancements and new services, to sales presentations, business strategy, employee engagement and process improvement. No two days are ever alike. In my free time, I like to explore my creative side. I am a frustrated artist at heart who enjoys Plein Air landscape painting, and crafting wood furniture. I also enjoy tinkering on my restored VW ’66 bug.

Remittance processing requires the secure handling of money and data. At Merkle Response Management Group we process more than 40 million payment transactions annually. If you’re working with a vendor that provides these services, or taking a closer look at your own remittance processing measures, I’d like to share some best practices for you to consider based on our 32 years of experience.

Aside from particular actions we take, which I’ll explore in detail below, it’s important at the outset for companies to establish an operational framework for security with documented processes and procedures. At a minimum, companies involved in remittance processing should undergo an annual Statement on Standards for Attestation Engagements (SSAE16) audit to verify that required financial controls are in place. At Merkle RMG we go beyond that and have been certified since 2002 to the International Organization for Standards (ISO) 9001:2008 standard, which establishes the requirements of a quality management system. We are the only company of our type in the U.S. to be ISO certified, which requires that we follow documented processes that are verified through both internal and annual external audits.

Security starts with our employees. Using a third party firm, we conduct background checks on every person we are considering hiring. Once hired, we require all employees to go through an initial, and then annual, security awareness-training program led by our IT team. The training emphasizes the importance of security to our business, how we approach it, specific measures that we take, and each employee’s role in maintaining a secure work environment. 

We process over $35 million in cash annually, mostly for our nonprofits clients where donors will often make a donation by inserting money in a return envelope. Special procedures need to be followed for any cash that is received. Managers remove cash from the caging floor after it has been batched and exchange it with a cash receipt for the remainder of the processing to allow batch balancing and reconciliation of deposits. In our operation cash is stored in a vault in an area with added security until it is picked up by armored car for delivery to the bank.

One specific method we use to confirm that cash is being properly handled by employees is called tray seeding. Before trays of remittance envelopes are given to employees for processing, managers photocopy all of the contents. Once the worker has processed the tray, he or she will return it and the manager will make sure the contents match. We let employees know during the on-boarding process that we will be doing this, and as you’d expect, we do more tray seeding with new hires.

Physical security is critical, and we employ many specific measures to ensure that our facility is protected both externally and internally. In addition to burglary and fire alarms, Merkle RMG has 75 cameras that digitally record all activity both outside and inside the building 24/7/365. We also use a camera/buzzer-configuration for entry through our front door and people must be visually identified for admittance. Once inside, visitors are required to wear time sensitive badges and are escorted the entire time they remain in the building.

There is only one employee entrance and access is gained through photo ID access cards. The entrance leads directly into a locker room where employees are required to store their personal belongings including cell phones, jackets and purses. The only personal item allowed on the production floor is a small, clear plastic bag for items the employee might need. Employees can only access those parts of the building needed to perform their jobs.

With all the headlines about data security breaches that occur on a regular basis, no one needs to be reminded of how critical this area is in a company’s security plan. Internally, we perform penetration tests to make sure our network is secure. Our IT team also regularly conducts exercises to try to hack into our systems using specialized software to determine if there are any vulnerabilities that need to be addressed. We also post data for exchange with our clients and their other service partners using a secure File Transfer Protocol (FTP) site with PCG encryption for an added layer of security.

Special attention must be paid to securing and handling credit card information properly. The fines for violating Payment Card Industry Data Security Standards (PCI DSS) are significant. Even though it is not required, we decided to initiate and maintain compliance at the highest level (Tier 1) so our clients can be confident that the strictest standards are being followed in handling their donor and customer credit card information.

Original documents contained in batches are stored in a secure warehouse within our facility. For added security, a contractor that specializes in secure document destruction comes on-site weekly to shred and transport confidential documents for recycling.

Another safeguard we have is a secondary disaster recovery facility we can use if our primary site becomes non-operational. We can begin depositing funds there within 48 – 72 hours for minimum disruption, and the site has all of the security measures in place at our primary facility.

Maintaining comprehensive insurance is important in the event security issues occur in spite of your best efforts or for reasons beyond your control. One area that is not addressed in standard insurance policies is how you make a claim for funds that are destroyed before they can be processed. To cover our clients and ourselves in such an event, we purchase a special insurance policy that allows the use of historical deposit information to substantiate the claim.

These are some of the key areas we address and measures we’ve found to be effective in protecting the security of our remittance processing. What other approaches do you take in your own operations?