Security measures

Does the Portal have a maximum limit to how much data it can hold/store?

Payit conforms to the bank’s data retention policy, ensuring that data is stored, managed and purged in line with the regulatory requirements.

Our current requirements treat payout data as payments and are held for a minimum of 10 years as of rules November 2022. For any cancelled and expired payouts, these will be deleted automatically after 12 months.

Do you undertake regular security risk assessments and take steps to mitigate the risks identified?

Security Assessments are conducted for all major changes to NatWest Group systems and applications.

These assessments are used to identify potential threats and vulnerabilities and ensure adequate controls are implemented to manage our information security risks.

Data Security

The Sending Payments application doesn’t store customer account information as plain text. These are stored in an encrypted/hashed database and only accessed to identify duplicate payments (part of risk reporting).

What controls are in place for information security / cyber risk?

Network Security
The NatWest Group has deployed secure network environments called Layered Scalable Perimeter (LSP). Each network zone is separated from an adjacent network zone through firewalls, physical network separation, separate network addressing and subnet masking. All network security infrastructure supporting the tiered environment is managed from a common secure management zone.

Wireless access is only used to provide internet access, through which employees are able to access the standard remote access solution if required. There is no direct wireless connection to the enterprise network.

Security Threat Mitigation
The NatWest Group deploys a number of different processes and tools to help identify and mitigate against security threats. This includes tooling to identify attacks against the NatWest Group including Malware, Network Intrusion Detection Systems (NIDS) and Distributed Denial of Service (DDoS) protection. The Technology function manages other tools to defend against security attacks including Anti-virus, Firewalls and web proxies.

Data Loss Prevention (DLP) Tools
DLP controls are deployed to monitor and block specific information from leaving the NatWest Group.

Security Testing
A panel of approved Penetration Testing companies work with the Security function to test our systems and infrastructure. Those on the panel are CHECK and CREST accredited, with assurance checks performed before a vendor is added to the panel.

Regular application and infrastructure (internal and external facing infrastructure) vulnerability scans are conducted using vulnerability management tools. The Vulnerability Assessment Service (VAS) evaluates the security exposure to determine the appropriate response. Critical responses, including patches if available are managed as incidents in real-time with lower category exposures included in periodic update cycles. Security updates or patches are tested against defined criteria.

Sending Payments User Access Security:
For authentication, users are required to supply a username and password. Additionally, per SCA guidelines, privileged users are authenticated through our Bankline card reader service

Service level security:
All Application endpoints are exposed on HTTPS.

Connection from users to Payit Sending Payments application is routed through WAF/API Gateway which examines the payload for malicious or malformed content before routing it further.

What do I do if I suspect fraud?

If you’re an existing business customer with a query, please get in touch by contacting the team at [email protected], or report your concerns online at www.actionfraud.police.uk.

How can I protect my business from fraud?

Natwest offers training and support for your business, including webinars and free fraud e-learning courses.

Visit the NatWest security hub to find out more.