Behind the scenes with Trustly’s security engineering team: how we make payments safe, secure and very fast

Did you know that more than 20% of people don’t want to pay for things online because they’re worried about how safe it is?

At Trustly, we understand that building a secure payment platform is not only a promise to the businesses we work with, but also to our end users who rely on our services every day. Our Senior Security Engineer, Mariano Di Martino (PhD), explains what happens behind the scenes to make this possible:

As a leader in A2A payments, we see a growing need for safe and secure payment options across industries. Evidence of this has been presented through Trustly research too, where we’ve found that  50% of participants rank security as their top consideration when choosing a payment method*.

To ensure we’re offering our clients the best possible levels of safety for their users, we have a Security Engineering team that’s dedicated to making every step in the process a reality. This starts at the initial checkout screen and even includes the actual payout to our merchants. Our team ensures that every new product and feature undergoes rigorous security reviews, vulnerability management, and receives expert security advice.

We pride ourselves on our proactive approach to vulnerability management. In this article, we discuss and lay out how that specific process works and how it directly impacts our merchants businesses:

Vulnerability management is a process in which vulnerabilities (weaknesses) are being identified, classified, prioritized and subsequently mitigated. When a weakness is identified in one of our services, it has to be classified first in terms of how severe it is and we then decide which team has the responsibility to resolve it. After this, we prioritize it based on the workload of those teams and perform a risk analysis to then finally, resolve the weakness.

To streamline our vulnerability management process, we have developed our own internal tool – called Zenis. This is an innovative and cost-efficient vulnerability orchestration tool, which is deeply integrated in our development pipeline. Zenis automates the bulk of our internal security workflow, minimizing the risk of human error and speeds up the process to unprecedented levels.

Identification

The identification phase starts with the detection of a vulnerability in one of our products. Zenis manages and controls several industry-standard scanners such as Nessus, Detectify, Trivy and Dependabot. It ensures these scanners are continuously updated with our latest product features and API endpoints. Upon execution, the scanners identify weaknesses and produce detailed internal reports based on their findings. To ensure a stable payment platform, Zenis will also instruct the security scanners to perform their testing when checkout traffic load is low to avoid any downtime. Simultaneously, Zenis ensures that scans are conducted frequently enough to allow for fast responses to any detected vulnerabilities.

Classification & Prioritisation

Vulnerabilities vary in nature and severity, and therefore a classification should be made. This requires us to prioritise vulnerabilities using several criteria, including the CVSS score, an industry-standard measure of vulnerability severity.  Additionally, we incorporate data from the Known Exploited Vulnerabilities Catalog (KEVC) developed by the CISA, the EPSS model, and the business criticality of the services as determined by our merchants' usage. With this comprehensive analysis, we ensure that we are not just reacting to vulnerabilities, but proactively prioritizing them in a way that aligns with their real-world implications.

After the prioritisation is done, Zenis identifies the development team tasked with resolving the vulnerability and automatically generates an internal ticket with all the necessary details for the team to begin mitigation.

Mitigation

The development teams will start mitigating the vulnerabilities with guidance from the security engineering team. Zenis archives every vulnerability, providing additional information such as endpoint details and mitigation advice, which aids the development teams in efficiently resolving the issue. It also monitors the entire timeline of the vulnerability's existence and produces KPIs to ensure our process is effective and delivers business value.

Following international security standards (ISO27001)

The implementation of Zenis plays a crucial role in the ISO27001 standard within our vulnerability management strategy, ensuring that our security measures remain comprehensive and robust.
The ISO27001 standard is globally recognized as the benchmark for information security management systems due to their rigorous process to measure cyber risk.  

We also engage in regular external assessments. At least once a year, we invite an external penetration testing (pentest) company to extensively test our products and services. By performing these simulated cyber attacks, we can identify and address potential vulnerabilities from an attacker's perspective, therefore strengthening our cyber defenses. This external review complements our internal processes and helps us to ensure that we are delivering the most secure experience possible.

As we continue to innovate and expand, Trustly’s proactive approach to vulnerability management, combined with our adherence to international security standards, ensures that we provide a secure and reliable payment platform.

We are confident that with our solid approach to security, our merchants can build stronger trust with their customers, which will eventually lead to higher conversion rates and sustainable business growth.

As a result, Trustly has committed to hiring a specialised Security Engineering team