Special Series: The Trust Advantage with David Edwards, SVP Information Security at Payroc | Episode 472 Artwork

Leaders In Payments

Hear directly from C-level executives in payments/fintech about industry trends, successful strategies, products, services, and what the future holds for the payments/fintech industry. We cover the entire industry from merchant acquiring, payment processing, ISOs, payfacs, fraud, security, issuing, b2b, fintech, to start-ups, if it goes on in payments we will be talking about it.

All Episodes

Leaders In Payments

Special Series: The Trust Advantage with David Edwards, SVP Information Security at Payroc | Episode 472

March 05, 2026 • Greg Myers • Season 7 • Episode 472

0:00 | 37:48

What does it actually take to secure a payments company in an era of sophisticated, well-funded cybercriminals? In this first episode of The Trust Advantage Series, brought to you by Payroc, host Greg Myers sits down with David Edwards, Payroc's Senior Vice President of Information Security, for a candid and eye-opening conversation about modern cybersecurity in the payments industry.

With 30 years in technology — spanning private banking, retail, and payments — David brings hard-won perspective to the questions keeping payments executives up at night. Sparked by a real-world ransomware attack on a payments company, this episode cuts through the compliance checkbox mentality to explore what genuine, operational security actually looks like.

David and Greg cover a wide range of critical topics: why passing audits doesn't equal being secure, how AI has radically changed the phishing threat landscape, the three pillars of identity and vulnerability management, and why resilience — not prevention — is the new gold standard. David also breaks down Payroc's layered approach to ransomware defense, how the company integrates acquired platforms without creating security gaps, and the right questions ISVs, ISOs, banks, and merchants should be asking their payment partners.

Whether you're a developer, a risk officer, or a business owner processing transactions, this episode delivers a masterclass in why security isn't just an IT issue — it's everyone's job.

Why Trust Powers Payments

SPEAKER_00 0:00

The strongest partnerships in payments are built on trust. When trust is there, it creates differentiation, fuels growth, and leads to better outcomes for partners and merchants. Welcome to the Trust Advantage Podcast series brought to you by PayRock.

Meet Payroc And David Edwards

SPEAKER_01 0:18

Hello, everyone, and welcome to the Leaders in Payments Podcast. I'm your host, Greg Myers. This is the first episode in our three-part series being brought to you by PayRock. Today I'm honored to have as my special guest David Edwards, PayRock's Senior Vice President of Information Security. A recent ransomware attack on a payments company was the catalyst for this conversation because it highlighted how quickly disruption can ripple through merchants and partners. So if you're an ISV, an ISO, a bank partner, or even a merchant, this is about understanding what it takes to stay prepared, stay vigilant, and keep customers protected. So with that, David, thank you so much for being here and welcome to the show.

SPEAKER_02 0:58

Thanks for inviting me. Really appreciate it. I'm looking forward to speaking too.

SPEAKER_01 1:01

Great. So before we dive deep into the topic, let's start with a little bit about you and Payrock. So tell our audience a little about yourself, maybe your professional journey and your role at Payrock today.

SPEAKER_02 1:13

Yeah, absolutely. So 30 years in technology before the time of Facebook, YouTube, in fact, probably before the time of uh pretty close to the digital payments change in the world. I suppose my journey's taken me through both private banking, retail banking, retail as actually as a industry, and then towards sort of the latter part, more specializing in payments and that ecosystem. Because, in the truth, I think the payments landscape now encompasses all those features of what a bank would do, but does it at the real-time checkout moment, which makes it probably one of the most exciting areas of digital finance, I think. And this is why I'm in this space at the minute. Of course, specializing in cybersecurity now for the last 10 years and taking the experience through that journey to help Payrock deliver what what I think is outstanding security capabilities for their products.

SPEAKER_01 2:11

Okay. So for those that may not be familiar with Payrock, can you give us a quick overview of the company and kind of its role in the in the payments ecosystem?

SPEAKER_02 2:20

Yeah, absolutely. So Payrock's been on a journey, I think originally founded early, you know, early in the beginning of the the century, if we can call it that. Getting close now to what, 200,000 merchants. And it's providing that full stack end-to-end in terms of that payments landscape that you know all of the merchants and ISBs need out there in order to deliver what they need to do. So pretty exciting, pretty great growth, and also brilliant customer service.

Beyond Compliance To Real Security

SPEAKER_01 2:46

Okay. Well, let's dive into the topic at hand. So many payment companies can pass audits, they can maintain certifications, but what does PayRock do operationally from a week-to-week basis that goes beyond just this compliance that actually reduces risks?

Detecting Hidden Threats And Imposters

SPEAKER_02 3:03

Yeah, it's a really great question because you know, if you look in the if you just look at the sea of organizations that have significant cyber attacks, you'll see that they've all got these certifications, you know, lots and lots of them, their SOCs, their PCI, their ISO, and so on. So really I think those certifications are the minimum bar, they're the minimum entry, if you will, to demonstrating you're doing cyber. And you've got to go above and beyond that. I think the key difference, I think, when you start to sort of get into the, if you will, a different league, if you will, of cybersecurity is you've got to pay more attention to who's interested in your organization and what they're prepared to spend and what capability they have in order to come after you. And I suppose if you think about it 10 years ago, people would, sorry, 20 years ago, people would sort of, you know, drive past the bank and look at the cameras and see when people came in and out, and you know, maybe go in and have a look at the vault. And it sort of formed this plan, but that's completely different. And now those those individuals that target the finance sector are might never see them. We don't know who they are because their identities are hidden. And um, they're really sophisticated and they're spending a lot of money and a lot of time thinking about how they can target. So, building on your question, what do we do? We spend a lot of time understanding how those criminals, which is what they are, build and develop capability to which may well be able to circumvent what that minimum bar looks like. So, whether that's understanding identity, you know, who is it that's actually accessing your systems, whether it's understanding where those access is coming from, whether it's been able to detect and track you know viruses that have evolved beyond the basic virus you might get on your home machine. Maybe it's um looking at and detecting vulnerability. And this is a really great space where payroll up, we scan vulnerability every single day, every day, even though the standard says do this quarterly, every three months. It only takes about 15 days for an attacker to spot you've got a vulnerability and then take advantage of that and then take over your organization. So you can't be waiting three months to find if you've got a vulnerability. You need to know on the day it exists, and then you need to take action on it rapidly. So if we look at those pillars around identity, who's accessing your systems, knowing your vulnerability and being able to detect when the attackers have advanced past that, those three pillars start to start to close down the basics. We haven't even touched, you know, we could talk on this, I think, all day around phishing, etc. But really know your enemy, I think is the big answer there.

SPEAKER_01 5:50

Yeah, I like that. And you know, I've always wondered when these organizations have, you know, some kind of breach or s or or something happens and the bad guys have been in the system for like they'll find out a month or you know, 15 days, 20 days. It's like I've always wondered how that happens. So I think you kind of addressed that. Just curious your your thoughts on that.

SPEAKER_02 6:10

Yeah, so the real question is this is, and these are a great visualization. When you jump onto a Teams meeting and people don't have the camera on, but they sound the same, is that really that person on the other side of that camera? And are they behaving differently? Now you think you might have thousands of tech pieces of technology, you've got you know, hundreds, if not thousand employees in your organization, some you may not even know and have met before. The real question is, is how do you know that they are not doing something that is essentially a criminal act? And are they really the person they said they were, even you've not met them anymore? When you take that problem and scale it, so you know, imagine the town hall of a big, you know, you're talking to all your team on a big Teams meeting. How do you know if someone on that call is not who they say they are? And if you can visualize that and you need to do that in real time, 24 hours a day, 365 days a year, now you're starting to really understand the cybersecurity problem. How do I know? How do I detect that? And then it really starts to get really complicated after that, and that's how they remain hidden for so long. It's impersonation at a epically grand scale.

Resilience Over Zero Incidents

SPEAKER_01 7:26

So, given how sophisticated these threats are, and you just mentioned it, and you also mentioned how you know these are no longer people, right? These are organizations and sometimes very well-funded groups, right? So, how can an organization like a payrock realistically promise we'll never have an incident? And and how do you think about that reality and set expectations both internally and externally?

SPEAKER_02 7:49

Again, another great question, but I'd reframe that question slightly differently. Because we live in a digital age, and maybe a few decades ago, the idea was you're never going to have a cyber incident because there were quite rare events at that point. You could see them more like a disaster. I think now we've got to change our mindset around that particular concept and say, well, how resilient are we when it does happen? And that might be, well, how fast can you detect it? How quick can you recover from it? And when you start asking those questions, and which is really most businesses should really be asking their partners and all of their companies that are critical to them. Because in the event that something does happen, and it is possible that it will happen, the real question is, well, how do you recover quickly? And it's that time between recovery, that max time between not being able to deliver a service versus being able to get that service back running in a reliable, secure way. The companies that can do that quicker are the ones that are more prepared and more resilient to that overall threat. Where the company can't do that and they spend their time offline for weeks trying to recover back from that space, then that's the company that hasn't really got that posture right. And they're still in that previous mindset, which is this is a disaster. If it happens, I'll treat it like a one-off disaster, rather than I'm getting attacked every week, every day. If something goes wrong, how do I recover rapidly so my customers are not impacted by this? So that's the takeaway. How resilient are you? And that's also how a lot of the financial sector and the regulators in the financial sector and more of the banking industry, they've started this mindset mindset from about 2016, and they've been working with organizations to test that level of resilience as well. So this this is now sort of starting to seep into the broader industry around payments, and this is the mindset that you need to take forward. I always think if you're driving the car down the motorway, you know, and the person in front of your heart breaks, you know, you're gonna break, so that's your reception time, and you've got that resilience in there because you've left the gap. In cybersecurity is exactly the same. You need to create yourself time to react when the unexpected happens.

SPEAKER_01 10:01

And how do you manage like the the internal messaging of that and the external part? I mean, it it sounds like it's an easy answer, but I don't know that everyone does it the same. Are there sort of best practices of how you do that? How do you make sure you're you know your boss and the CEO and the board of directors and then externally, how how do you make sure all of that is messaged correctly?

Leading With Culture And Communication

Training That Actually Changes Behavior

SPEAKER_02 10:24

Interestingly, I think that defines what the role of maybe, you know, a security leader looks like, you know, in reality. Because the truth is, if you can't communicate, you can't deliver your message and you can't make change happen. So actually, the way you go about explaining cybersecurity and the way you bring people through that journey is a real important part of the process. And there are a number of strategies to that. I think most importantly, cybersecurity starts from the top down. You know, it starts from the CEO, and that's something that PayRock has absolutely outlined from the very beginning. We don't make compromises in this space. So the message is from the top, and that helps because it's not a bottom-up message, it's a top-down message. So you do that, you've got that right. I'll call out the Bank of England's great example. Their CEO said, well, he owns the security, so he he wants it done. So that mindset is your first step. The second piece is then is making cybersecurity as engaging as you possibly can. Every presentation I do in payrock, I made it as fun and as engaging as possible so that it's entertaining and um, you know, almost like a TV show, if you will, from that perspective. So it needs to be interesting as well. It can't be boring, or else people are just not interested. I think the next piece is letting people know how cybersecurity affects them personally. And this is a really important point. Cybersecurity doesn't start, it starts at home and you bring it to work. We spend a lot of time sending out communications on a regular basis to let people know how do you protect your children online? How do you keep your password safe when you do your online shopping? Do you run antivirus at home? If you start to work from an individual safety perspective, I call it cyber safety, then those behaviors will then come to the workplace as well as this at home time as well. And then the next piece is another level to it. It's targeted training for people with what I call privileged access. So not everybody has the same blast radius in an organization. Different people have different blood blast radius, which means different people need different tailored training to the to the impact they can have. Interestingly, one of the biggest roles in an organization that has the biggest blast radius is the help desk. Because if you need something, you ring the help desk so they can reset your password. I don't know, they can remote onto your PC. These people have a lot of access, and they've all got a big blast radius. And we do things like tech deep dives, we show people how computer systems are really hacked. We give live demos so they can see it themselves and visualize it, see where they play their role. We do the annual training, if I'm completely honest with you. This is more of a compliance element to it, and I'm not saying it's not value, but there's a lot of research that says you'll forget that after two weeks, if I'm completely honest. So we run um cyber simulation or war games regularly through the year, where we invite people to that so they can simulate. Well, if this happened, how would you respond to that? And this type of training is through experience, and experience lasts longer than reading a book, you know, in reality. So we've got all these pillars going on. We've got top-down communication, we've got individual awareness training for themselves, we've got the annual training we have to do, we've got the targeted training for people in specialist areas, and then we've got the simulations, and then on top of that, we run automated simulations. What we would call, I suppose in the industry they call it a red team, but in reality, we simulate an a hacker on what they would do, and we see how our systems respond. And that's another way of learning because you know if the smoke alarm goes off and you find the fire extinguisher doesn't work, you don't want to find that out when you've had a fire. So you've got to practice those drills and make sure it actually really works, and you've got to simulate those things. So we do an extensive amount of training gets put into the organization to help people understand. And I would say we probably need to do more. I think we need to do more, and we need to be more creative in this space because I think everybody is a personal cybersecurity person in their own right in reality, whether you're the CEO or whether you're on the help desk or whether you're in sales, everybody plays an important part of keeping the organization safe.

SPEAKER_01 14:33

All right, well, let's get tactical with this question. And it's something that you mentioned earlier: phishing, credential theft. I mean, those are still pretty common entry points. I think we've all heard about those for many, many years. But what layers do you put in place so that something as simple as a stolen password doesn't automatically become some kind of breach?

Phishing’s AI Leap And Layered Defense

Why Payments Are Digital Gold

SPEAKER_02 14:52

One of the areas that is radically changed over the past 18 months is phishing attacks. And they've changed in sort of two primary ways. Firstly, they're not they're now mainly AI-driven. So the ability for someone to actually spot a phishing attack is significantly reduced. So maybe 18 months ago, only maybe 4 to 5% of people would have been caught out in a phishing attack. Now that's more like 30 to 40% of people might be caught out in a phishing attack when AI targets you. Because they'll know you love golf, they'll know your hobbies, they'll search you on social media and LinkedIn, and they'll reach out to you. And you know, also at a new type of phishing, they may have compromised a supplier that you're working with, and that person you're talking to all the time may email you unexpectedly with a late invoice that actually might be a fishing attack. So the phishing landscape is radically different. Very difficult for a human being to defend from it. The other piece that's changed significantly in phishing attacks is we all use our phone now to log on and it sends up a prompt and we go, yeah, it's me. Phishing has evolved to the point where those types of security no longer work with phishing. They're able to steal both your login credentials with your phone and your password at the same time without you noticing. Probably a tech deep dive on a different channel, but um, I assure you this is true. And it just takes one click of an email for that whole sort of password ecosystem to come crumbling down. So it really comes down to how do you know whether somebody's credentials are being stolen and used, and I'll tell you how we do this. And how do you prov how do you make those systems more robust so that they don't work as effectively? So the first thing is well, we can use AI too. So we have AI systems that read emails and work out whether or not those emails are actually phishing emails, and it uses AI for that. These systems are 99.9% effective at detecting this stuff, and we simulate these things every single week to see whether they're working. They're able to work out whether or not somebody changed the conversation halfway through. They're able to understand the language that the person writes in is the same as they did before, and they're able to know whether or not that content of that mail is out of character for that particular individual. So they're able to understand how people communicate and then say, I don't think these emails are really that really kosher, you should have a look at it. So, first of all, we've got AI. The second piece we have is we have risk-based detection, and we have some of the most advanced software in the world that runs on this stuff. We are on the leading edge, there's some case studies on payrock on this particular technology, and we're able to understand the behavior of individuals' access and how they access systems within a given risk system. So we know, and this goes beyond you going on holiday and logging in from a different location, because you could be on a VPN and appear in a different location. We're able to work out the way you access, what you access, where you use that access, what you do with it, and to visualize this. Imagine the old office where you'd walk through and put your key in a door all the time. In the morning, you come in for work, you beep the door, you sit at your desk, that's all you ever do. The next day you come in, you beep at the door, but actually you go to a completely different room in that organization and you beep in, and then you go to two more rooms in that organization, but you never do that. So the access has got to evolve to say, Well, what were you doing today that was different to yesterday? We'll go and ask you what you were doing, because that doesn't you don't usually go to that part of the building, even if you're allowed to go there. We can't trust anymore that your badge access is good enough. So that's the second the second thing. And the other thing that's really important is you could now buy access systems which don't depend on the phone, and then what's called phishing resistance, and these are a little key that you put on your keyring, and when you're logging in, you can touch it, and that touch is cryptographically secure in a way that we can be 100% confident that's actually you touching that key because we gave it to you and we're watching you touch it at that moment. So an attacker would have to break into your house and steal that key in order to get past that access system. I would say there's some of the layers we have even more layers of access beyond this, because computers are people too, ironically, they log into things, they do stuff. So how do you know if they're doing stuff differently? What if they're behaving differently to before? So once you look at even the small organizations as thousands and thousands of different, what we, if you will, accounts that are doing things or identities that are doing things, all of these things need to be monitored on a massive scale for deviations. And this is this is a few of the things we do at payrock to uh understand these things. It is pretty mind-blowing when you think about the complexity of that stuff.

SPEAKER_01 19:47

Yeah, and you've mentioned a bunch of these proactive capabilities, and uh, you know, I don't think we have to go into more unless there are more you want to talk about, but I think it's it's fascinating how proactive you have to be. I mean, it's you don't wait for something to happen, right? You're doing all this stuff in advance. So, all of that, why do you think it's so important and matters so much in the payments ecosystem?

Ransomware Playbooks And Rapid Recovery

SPEAKER_02 20:09

The way I see it is I call payments digital gold. I think you can go and dig gold up from the ground, or actually there is digital electricity floating through systems as actually real gold. In fact, billions of this particular electricity is now gold. What cyber attack really means, the actual meaning of a cyber attack is that something has happened in a digital world that has actually affected the real world. The simplest is a cash machine doesn't work because it's been packed and now you can't get your money out. You physically can't do it. So with payment systems, we are so connected now, whether it's online shopping, paying our bills, paying mortgage, your entire life revolves around paying money digitally. And if that payment ecosystem is not working, businesses are losing money, they can't charge their customers, you know, they're losing out, customers can't pay for goods, which means which might affect their topping up their phone. It may mean they can't take the kids to school, maybe they can't pay for this prescription that they really, really need. If the payments don't work, this can have a real material life impact on people, and that can be really detrimental to them, their mental health, well-being, and it has a big social impact in terms of our communities that are really dependent on us. And the payment world now is so integrated into people's lives, it really is. If you look at the way it's going, you know, invoicing, real-time credit decisions at checkout, access to your money in real time, movement of money between your friends, all the aspects, these are all the things you really see from a bank. So, really, the payments industry is a bank in reality that is a real time system that's instantaneous, and that's what makes payments absolutely fascinating. But it also makes it a Really big target for fraud because everything's been done so fast in a moment.

SPEAKER_01 22:05

Okay. And you know, as I mentioned at the beginning, there was a ransomware incident in our industry, unfortunately. And it's become, you know, a critical threat to all business and business continuity is kind of you mentioned. So how does payrock ensure both the prevention of these kinds of attacks and I guess the ability to recover without having to pay those kind of ransoms?

Reading SOC 2 Beyond The Badge

SPEAKER_02 22:27

It's a really fair point. So to understand the autonomy of a ransomware attack is really important. Someone will get access by phishing or vulnerability, two parts that we've talked about we're strong on. And then they will hide in your systems for a period of time. In truth, what's really going on is you can see ransomware like a call center. Somebody has a playbook that they're going through. It is a process, a business process. There are multiple teams in that organization where things are getting escalated and getting handed off to different teams to work. Which means that these particular processes have have playbooks and they have specific steps that they go through. And actually the autonomy of a ransomware attack, if you just don't pick it, looks very similar to what happens in different places. So a payrock, what we what we actually do 24-7, 365 days a year, is we we buy the research of other ransomware attacks, other attack groups that have been identified who are working in the financial sector. And essentially what we're buying is their business process playbook. That's what we're really buying. The commands they're typing, the software they're running. We're buying all this, if you will, metadata. And then what we do is we search across every system for evidence of those, that metadata that we've bought. So this recipe, if you will, this ransomware book recipe, we're searching for evidence that this recipe might exist. Because the recipe may well be at a point where we might be the first people to experience that version of the recipe. But it will be a little bit different, but not completely new. And that's very, very difficult to detect. It's like getting a virus for the first time. You haven't got an immune system for it. It doesn't matter how much you spend on cyber, your immune system won't be able to respond to that. So by searching for these recipes across our system, that radically increases our visibility of these particular activities occurring within our environment. And then we can take rapid action. Now, in the unlikely or highly unlikely event, you know, somebody gets to endgame, there's two things Payrock does that are very interesting. Firstly, is limiting the blast radius. So we can limit the blast radius with people, but we can also do it with technology. So you can see this like little castle walls around technology, if you will, where rather than having one big piece of technology behind this really big shell, we've got little pieces of technology and they're all in their own little shells. So if one gets affected, that only that part of the shell gets affected. I suppose a bit like a ship where you know you've got these doors in the ship that might fill with water and you can close the door rather than just having this deck of cars where the water floods through. The next piece as well is being able to restore your backups. Now, a lot of people think just because they've got backups they're safe. It's not true. Because the criminals know you're going to go to your backups when they ransomware you. So the question is, is and they might have been there for ages, six months, you don't know. So you can't really restore a backup because they're probably inside the backups as well. So you're just putting them back into your environment. And this is what makes the recovery process so difficult because you can't trust anything anymore. It's like someone's been in your house. You know, if someone breaks into your house, you have a look around, see if they're still hiding in there, and you think, ah, they're not. You know, you check all the covers, look under the bed, whatever you want to do. In a ransomware attack, they're hiding in the covers and under the bed, but they're but they're they're hidden away in these things. So you've got to get them out, you've got to re-extract them from these systems. So we have special systems that are able to search our backups for certain signatures in real time. If they were ever there, we're able to carve them out. Reduces our recovery time drastically. Uh, because instead of having to build everything from the ground up new, we can take our backups and we can use them. You know, of course, in a rainy day and you know, you're in that moment where things have gone bad, you know, you're obviously going to do that as fast and as as realistically as you as you can. But more importantly, and I think when we look at the ransomware attack that happened in the industry, and you and you look at that, and we touched on it before, is it's it's not just digital cards that are in this data, it's real people's names and addresses and security numbers and driving license and so on and so on. So we can reissue card numbers, you know, we don't want to, but we can change, we can block that card, but we can't reinvent someone's date of birth. We can't easily replace their passport and their driving license. So you're in this balance of making sure that the I call it the freedoms, but the welfare of people are fully protected. And that does have an impact in your recovery. But in terms of technology, there is literally nothing else that payrock could go out and get that is, you know, they have the, if you will, the Ferrari of the technology to get things back running when it happens, if it happens.

SPEAKER_01 27:19

Okay. So Payrock maintains several industry certifications, and we talked a little bit about this. But how should the ISVs, ISOs, and your merchants think about the relationship between these certifications and actual security effectiveness?

Executive Questions That Matter

SPEAKER_02 27:34

Yeah, so the certifications there are to the point, the certifications are there to say somebody independently came into that organization at a moment in time, that day or that week. Not uninvited, by the way, it wasn't a random check. This was a check where we knew they were turning up on a Monday, and then they did an assessment and they're qualified, they have absolute credibility. So on the day they were there, they they checks that you did what you said you were going to do. Out of the reports that are the interesting ones to read are the SOC 2 reports. And I'll talk a little bit more why they're more interesting. Because PCI is a sort of a, if you will, a level bar, and it's really just measuring the minimum, and most payment companies are going to pass that minimum bar. If they're not passing that minimum bar, then you need to start asking questions. The SOC 2 reports, an interesting report. It's definitely saying you to sleep at night, I think, if you spend two time reading one of them. But what's interesting is firstly you get an auditor's opinion at the top, and that's worth reading. That's their opinion, and they will not compromise their opinion for any company because it's their credibility, so that's worth reading. The second piece of that report that's reading is you get like this, you'll get a um like a grid or or a table through the document, and it'll start to talk about the backups and so on. As a company, some things are more important than others, so access control is very important. Backups are very important. The disaster recovery, really important, and uh antivirus and the security systems that prevent him from attacks are very important. So if you focus on them first and read what they actually do, what did they say they actually did? And did that seem reasonable? Because on the SOC 2 report, you can find that someone would say, Well, if someone leaves my organization, I don't remove the access for a week. They would still pass the test because they said they did that and that's what they did. Now the auditor will actually has a second report, which is not often shared, where they give an opinion to that to the company, but it's not in that report. So you could always ask for that whether the company would share it, which is really because they don't think that's gonna get shared. So you but if the company says, Well, we terminate access at the moment people leave an organization, or within you know, a certain amount of hours of that, depending on the time of day and the size of the company, then you can start thinking, well, that seems reasonable. So I think what you've got to do with those reports is given that you're gonna you know pitch your business's abilities revenue on that particular provider, then do you know what? Sitting down for a couple of hours and reading through that report, asking some questions, you know, put it through, as long as it's uh you know a proper paid one and you're not sharing the document beyond your scope of NDA, but AI is there to help you interpret that report as well, so that you don't have to be a technical wizard to understand this stuff. I mean, you can give it AI and say, What's your opinion? And it'll or give me the top 10 questions I should go back on, and it will give you these information. And it's absolutely okay, 100% okay, to sit down with that supplier and ask them, well, what else do you do beyond what's in this document? Ask them a bit more stronger about the incidents that they've had, because they will have had some, you know, whether it's a supplier failure, some of these are industry-wide, you know, and also challenge them on the questions until you're actually comfortable. And I think in the security world, we're expecting customers to do that. We're expecting customers to get comfortable and we're going to be open about it, and we're going to give the information that they need. If a company is being defensive, being slow to respond, isn't giving a straight answer, that for me would be the red flag. Because a company should be wanting to sell, they're not just selling you the product, they're selling you the security as well. And giving you got an NDA with that organization, you know, really they can tell you a lot more than you could have got from um just uh an initial sort of RFI and RFP process you may have gone through.

SPEAKER_01 31:31

Okay. Well, anyone that's followed Payrock's history knows that you've grown tremendously through acquisitions. So, how do you integrate these new systems and new platforms without creating any weak spots or any inconsistencies across that environment?

SPEAKER_02 31:49

So it's like when you go out and buy anything new, whether you buy a new house or a new car. You know, there's no perfect system. There's, you know, you're not buying a brand something brand new. So the first stage, we go through a set process, which we've done since I arrived, and it's a process I brought with me. And in this process, if you will, it's a bit like an MOT. I don't know what that is in the US, because of course what the correct word for that is, but it's like a health check, if you will, that we go through. Firstly, what we want to know is is well, what weaknesses you know does does this particular organization have in the context of the threats that they might need to defend? And are they defending them well today? But if they come part of the payrock world, do we need to strengthen some of these areas within that ecosystem? So we have a set series of what we call technology people process, which is extremely robust, and we will put that, we will put that shield, if you will, around that organization from day one. And there is no compromise on that. It goes in, it goes in from day one. You can say that's the first level of the shield, and it's completely centralized. So things like phishing and email security, antivirus, all this stuff we talked about gets immediately put into that particular organization from that perspective. The processes we create were designed to scale. It doesn't matter to us whether we've got a hundred computers or ten thousand computers, our processes scale on demand. So for us, it's not a big big challenge in terms of what technology gets brought with our organization. The next piece with acquisition, of course, is we talked about it. Well, who's accessing what and why, and and why do they do that? You know, why has that person got a pass for 10 rooms when they only needed one? So the next phase, of course, is understanding exactly what people access and why, and understanding what that process is. So we go through these levels of health checks, and again, then big pillars, recovery, access, antivirus, phishing. We put this massive shield around that organization and then we integrate into our ecosystem. I suppose it's like putting on a new security jacket, I would call it, from that perspective. Abseptiza has got three layers and it's made from the absolute best material. You know, you ain't gonna be cold when you're wearing that. And that yeah, at a high level, without spending probably a whole day on that subject, we go through that in an in a massive amount of depth. We check all the standards, we go back through all the certifications, every single detail is checked. But you know, it's like when you take the car and plug the computer in and it comes up all the error codes in there. We've got that level of technology that we can plug in and it will tell us instantaneously anything that needs to be fixed. If it needs to be fixed immediately, we will fix it immediately. Even if that means at Payrock that we you know the feature we were going to launch in a few days, you know, needs to wait a little bit to fix that. Payrock will make sure the security is done right, but it will not give it a second place, it just gets done. And that's been the message since I arrived at Payrock four years ago. There's been no compromise, and that comes from Little.

SPEAKER_01 34:48

Okay. Well, one final question and for the various stakeholders in Payrock's ecosystem, which could be ISVs that are integrating your technology, ISOs representing solutions in the market, banks or financial institutions making referrals, and merchants processing transactions. What's the one thing that you hope they walk away with after hearing this conversation today?

SPEAKER_02 35:11

I think if there's one big message for them to walk with away today is everybody listening to your podcast, security is their job. It starts with them. Uh it starts at home, you take it to the workplace. And the second key takeaway I would say they would take, especially if you're an executive, you know, you're you're running your company, is to ask those key questions, which is how many computers have I got? You know, how many do we look after? If you can't answer that question, then you can't give a definitive answer that I'm making them all safe and secure because you don't know where they all are. How many of them have I got? How many instances did I have on these computers? You know, how many times has that security team had to do something and why? You should know that. A big important part. The second piece is is have you as an exec third piece is have you communicated to your team and your exec team that security is important? Because it's really easy to get lost in the you know, the businesses as a whole, we're targeting what we sell, our revenue, building the best product of the great customer service, and building a brilliant, brilliant company. And that's usually top of mind because that's the more evolving thing, and that's where the customers and the partners, everyone's around you, is giving you that feedback to help you build a better product. But it doesn't take a moment to sit back at a leadership level and say, hey, you know what, don't forget the importance of security because in a modern world, without that, you don't have a product roadmap, you don't have a product to sell. It is now part of the safety features like the airbags and the seatbelts of your car. Who buys a car without a seatbelt and an airbag? Nobody. I think you know it will be insightful for you to ask those questions and just see what type of responses you get back. And if they aren't clear-cut, you know, solid, then you know that it's worth paying a bit more attention to that.

SPEAKER_01 37:13

Okay. Well, David, I think that's a great way to wrap up the show. And I know your time is very valuable. So I really appreciate you being here today. So again, thank you so much for being on the show.

SPEAKER_02 37:22

Oh, it's been a pleasure. Uh, thank you very much for inviting me along.

SPEAKER_01 37:25

Absolutely. And to all your listeners out there, I thank you for your time as well. And until the next story.

SPEAKER_00 37:32

Thanks for joining us for this episode of the Trust Advantage Podcast Series. To learn more about Payrock, please visit www.payrock.com.