Payroc Completes Acquisition of BlueSnap
Back to Blog

Payroc's Cyber Fitness: Your Questions Answered

Posted on By

Payroc Cyber Fitness Q&A: David Edwards on Information Security

A Q&A with David Edwards, Senior Vice President of Information Security

In today’s payments landscape, cybersecurity isn’t a marketing feature. It’s foundational.

From the ISVs embedding Payroc payments technology into their software, to the ISOs and agents representing Payroc solutions in the field, to the financial institutions and referral partners safeguarding customer trust, and to the tens of thousands of merchants whose livelihood depends on the integrity of Payroc’s systems, every Payroc stakeholder depends on the strength of our cybersecurity posture and risk-management practices.

Recent industry events have made one thing clear: compliance alone is not enough. The real differentiator is cyber fitness, the 365, 24/7 discipline of training, testing, monitoring, and improving defenses in an environment where sophisticated new threats evolve daily.

We sat down with David Edwards, Payroc’s Senior Vice President of Information Security and CSO30 Top 30 UK Cybersecurity Leaders award Winner in 2025, to answer the most important questions about how Payroc protects data, merchants, and partners.

Q: Let’s start simply. How secure is Payroc?

David Edwards: We operate in one of the most targeted industries in the world. Payments companies hold card data, digital funds, and transaction infrastructure, assets that are extremely attractive to sophisticated threat actors.

Because of that, we don’t treat security as a checklist. We treat it as a discipline.

We deploy best-of-breed cybersecurity technologies across our environment. Our controls are independently validated through PCI DSS certification, SOC 1, and SOC 2 audits. And importantly, our recent audits have resulted in clean reports, with no findings or exceptions.

But certifications represent the minimum bar. Our focus is what we do beyond compliance.

Q: What does “beyond compliance” actually mean?

David: Many companies run required scans quarterly because that’s what PCI mandates.

We run continuous vulnerability scanning, every single day, both externally and internally across our environment. And we don’t rely on one tool. We use four independent vulnerability platforms to identify weaknesses.

We also operate 24/7/365 security monitoring with real human analysts watching activity—not just automated alerts.

In addition, we conduct:

  • Advanced threat detection: Proactively searching for hidden attackers inside our environment.
  • Ransomware simulations: Safely replicating real-world attack techniques against our systems to test effectiveness.
  • Breach simulation exercises: Testing whether phishing or malware techniques would succeed.
  • Dark web monitoring: Looking for leaked credentials associated with our merchants or employees.
  • Brand protection monitoring: Identifying cloned or fraudulent websites impersonating Payroc.

That’s not mandated by compliance. That’s cyber fitness.

cyber security analyst

Q: You mentioned threat detection. What is that?

David: Threat detection, also called threat hunting, is proactive detection of advanced threats that might evade traditional controls.

For example, when a ransomware group compromises a company, forensic data eventually becomes available about how the attack worked. We purchase specialized intelligence and replicate those attack techniques in our own environment to confirm that we are not vulnerable in the same way.

It’s like studying game footage after a championship match. We want to know exactly how attackers are operating in the wild and ensure those methods don’t work against us.

Few of our peer payments companies operate formal threat-hunting programs. We do.

Q: How does Payroc protect against credential theft and phishing?

David: We use multiple layers.

First, we deploy AI-based, risk-based authentication that monitors user behavior. If credentials are stolen and someone attempts to log in, our systems can detect abnormal patterns and block access, even if the username and password are correct.

Second, we implement phishing-resistant multifactor authentication (MFA) using hardware cryptographic keys for users with the highest-level privileges. Unlike app-based MFA that can be socially engineered, hardware keys require physical interaction and cryptographic validation.

Third, we run internal phishing simulations and training exercises regularly. Human behavior remains one of the largest risk factors in cybersecurity, so we continually educate and test.

Q: How resilient is Payroc to ransomware?

David: We focus on both prevention and recovery.

First, we conduct ransomware simulations to test our defenses. We run continuous scanning and detection to identify vulnerabilities early.

And second—this is critical—we maintain ransomware-resilient backups, backups that cannot be easily deleted or encrypted by attackers.

We also test our ability to restore systems and validate that backups are clean. That’s also critical. Having backups is one thing; knowing they work is another.

Together, these processes ensure ransomware recovery without ransom by enforcing immutable, malware-scanned backups stored in isolated cloud environments with dual-authorization controls.

Q: What certifications does Payroc maintain?

David: We maintain:

  • PCI DSS certification
  • SOC 1
  • SOC 2

SOC 2 specifically measures security controls, and not all payment companies pursue it.

But it’s important to note: many companies that experience breaches also hold certifications. Certifications validate baseline controls. What differentiates organizations is how far they go beyond them.

Q: Is there any independent way to benchmark Payroc’s security posture?

David: Yes. External rating agencies such as SecurityScorecard assess organizations from the outside, analyzing internet-facing risk signals and security hygiene.

Payroc maintains an “A” rating on these platforms. That rating is public-facing and continuously monitored. It reflects how we appear to the outside world in terms of cybersecurity risk.

cyber-security-dashboard-with-rating

Q: How large is Payroc’s security team?

David: We maintain an internal Information Security team of approximately 17 professionals, augmented by external specialist firms.

We operate a hybrid security model of internal experts paired with premium third-party security partners. This gives us domain knowledge plus global threat intelligence at scale.

Q: How does Payroc cybersecurity compare to that of the largest payment companies?

David: The largest companies often have more budget and bigger teams. They may run extensive security operations using major consulting firms.

But size doesn’t always equal agility.

Payroc’s advantage is responsiveness. We can pivot quickly. We can deploy new technology rapidly. We can respond decisively to emerging threats.

Cybersecurity is not static. It’s dynamic. And agility matters.

Q: Payroc has grown through acquisition. Does that create additional risk?

David: Any acquisition introduces integration risk. That’s true for any organization.

But here’s the difference: when systems join Payroc, they come under our security umbrella, our scanning, monitoring, identity controls, and governance frameworks.

In many cases, we identify security opportunities during integration that predate the acquisition. That’s part of strengthening the overall environment.

Q: Can any company guarantee it won’t be breached?

David: No.

We operate in a challenging digital environment with sophisticated adversaries, some backed by nation-state resources. It’s not a level playing field.

Cybersecurity is a continuous battle. That’s why we use the term cyber fitness internally. Fitness isn’t a one-time event. It requires ongoing training, discipline, testing, and adaptation.

Our commitment is not that risk disappears. Our commitment is that we train harder than most, monitor more aggressively than required, and respond faster when threats emerge.

Q: What does this mean for ISVs, ISOs, financial institutions, and merchants?

It means:

  • Your data is protected by layered, independently validated controls.
  • Your integrations run on infrastructure that is continuously monitored and tested.
  • Your reputation is supported by a partner that treats security as a strategic priority—not a compliance obligation.
  • Your RFP and due-diligence processes can be supported by real documentation, audit reports, and independent validation.

Cybersecurity isn’t just an IT concern. It’s a partnership concern.

Final Thoughts

The payments sector is one of the most targeted industries in the digital economy. That reality shapes our investment decisions, our staffing, and our daily operations.

We are PCI DSS certified. We maintain SOC 1 and SOC 2 reports with clean findings. We hold strong external security ratings. And we go significantly beyond compliance with continuous scanning, threat hunting, AI-based authentication, ransomware simulation, dark web monitoring, and 24/7 human oversight.

That is cyber fitness. And in payments, fitness matters.

If you are an ISV evaluating integration partners, an ISO representing Payroc in the field, a financial institution referring clients, or a merchant processing transactions through our platform, know this:

Security at Payroc is not a talking point. It’s a discipline.