The ISO certification is one of the most important seals of quality in the world. It is given to companies that comply with certain standards established by well-known test centers such as the TÜV AUSTRIA Group. Credi2, one of the leading tech providers for buy now, pay later services (BNPL), also recently received an ISO certification. This confirms that the rising fintech scale-up has the highest level of information security and data protection.
“As a fintech, we have to provide information security in our products right from the start,” says Alexander Polster, Chief Information Security Officer (CISO) at Credi2. “Now we can also confirm our high standard of data protection and information security from an independent body with the TÜV seal.”
Fintechs targeted by hackers
Information security and data protection for sensitive financial data are more important than ever. According to researchers from Check Point, cyber attacks in 2021 have increased by 117% in Austria, in Germany – by 62%, and in Switzerland by 65%, in comparison 2020. Important institutions such as government/authorities/military are the most heavily attacked sector, followed by the sector of finance/banking. These two score ahead of software manufacturers like Microsoft. Experts expect further increases in cyber attacks in 2022, especially in Europe where digitization of entire value chains has taken another step forward. And that in turn will attract attackers.
“We cooperate with banks and international companies that operate under very high standards themselves,” Polster says. “People today actively ask what certifications you have, especially in the financial industry. ISO certification is an absolute value-add to validate existing partners and attract new business partners.” He adds that the company can now clearly stand out from other BNPL providers – the TÜV seal on the website alone can create trust.
From cryptography to employees
For 12 months, Polster and his team were busy submitting everything necessary for the ISO standard. Specifically, Credi2 and its German subsidiary c2 Circle have obtained ISO 27001, which confirms that the fintech can manage the security of financial data, intellectual property, employee data, or information entrusted by third parties. In addition, the Vienna-based scale-up has also received ISO 27701. This is an extension of the first certification and verifies the establishment, implementation, maintenance, and continuous improvement of a Privacy Information Management System (PIMS) within the company.
Access protection, controlled purchase of hardware and software, secure internal and external communication, physical protection of assets, use of suitable cryptography, the commitment of the management, and, last but not least, the training and further education of employees – compliance with the ISO standard is very extensive.
“The key issue is to create awareness among employees. For this purpose, we have created our own e-learning system in the company so that everyone is trained and is always up to date with the latest developments,” says Polster. Gamification is used to make the necessary know-how quickly learnable and implementable.
“This is just the beginning”
But certification by TÜV Austria is not the end of the story. “Certification is not the goal, but the beginning,” says Polster. “The standard demands continuous improvement; there is no such thing as standing still. The auditor wants to see every year that you’ve improved yourself, and we work hard to make sure we keep raising the bar for ourselves.”
The Viennese fintech Credi2 has grown to become one of Europe’s leading BNPL scale-ups with partners such as Apple, Raiffeisen Bank International (RBI), and Volkswagen Bank, and services such as cashpresso or FINANCE A BIKE.