Data Privacy & Security

ISO 27001:2022 is part of a set of standards that helps organizations securely manage their enterprise from a holistic perspective, focusing on creating a management system to protect sensitive data. ISO 27001:2022 targets continual improvement processes of the management system to ensure the enterprise stays relevant in the ever-evolving world of security and security management.  For more information regarding ISO 27001:2022 please visit https://www.iso.org/home.html.

CSG has achieved the ISO certification since 2018 and is certified annually by an independent assessor. This certification is the implementation of a rigorous security program and assurance that CSG manages security from a holistic perspective.

For questions or to request more information, you can contact us here.

System and Organization Controls (SOC) Reports are independent third-party examination reports that demonstrate how service providers achieve key compliance controls and objectives. The purpose of these reports is to help user entities and their auditors understand the service provider controls established to support operations and compliance pertaining to internal controls over financial reporting. SOC Reports are prepared in accordance with the American Institute of Certified Public Accountants (AICPA), Statement on Standards for Attestation Engagements (SSAE) 18, AT-C 320 (SOC 1) and can also comply with the International Standards for Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization.

Additional information can be found on the AICPA and International Auditing and Assurance Standards Board (IAASB) websites:

• AICPA – https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-1
• AASB – https://www.iaasb.org/

As a business to business service provider, CSG provides services critical to our customers’ business operations, revenue and payments management, and customer communications. The purpose of the SOC 1 Report is to provide information to customers and their auditors with information regarding CSG’s control environment that may be relevant to their internal controls over financial reporting and assist in their assessment and opinion of the effectiveness of their controls.

CSG’s SSAE 18 / ISAE 3402 SOC 1 Type II Report, which is prepared in accordance with both the AICPA AT-C 320 and IAASB ISAE 3402 standards, provides a description of the CSG control environment and the results of the external audit of the CSG-defined controls and objectives. The Report is published annually in December covering the twelve-month period October 1 through September 30.

The annual SOC 1 report is available to CSG’s customers, and their auditors, who are users of the products and services included within the report. Instructions for downloading the report can be found here.

• The scope of CSG’s 2024 SOC 1 Type II and 2024 Managed Services SOC 1 Type II reports is included here.
• The control objectives within CSG’s 2024 SOC 1 Type II and 2024 Managed Services SOC 1 Type II reports are included here.

For questions or to request more information, you can contact us here.

CSG’s SSAE 18 SOC 2 Type II for the CSG Encompass Platform provides assurance that CSG’s service commitments and system requirements for Security and Availability are achieved.

The report is available to CSG’s customers who are in use of the products and services included within the report. Instruction for downloading the reports can be found here.

For questions or to request more information, you can contact us here.

CSG’s SSAE 18 SOC 2 Type II and CSA Star Report for Enterprise Cloud Services Report provides assurance that CSG’s service commitments and system requirements for Security and Availability are achieved along with the design of controls to meet the requirements of the Cloud Security Alliance’s (CSA’s) Cloud Control Matrix (CCM) Version 4.0.3 control specifications criteria.

The report is available to CSG’s customers who are in use of the products and services included within the report. Instruction for downloading the reports can be found here.

For questions or to request more information, you can contact us here.

CSA Star: CSG is a member of the Cloud Security Alliance (CSA) and listed as a CSA Trusted Cloud Provider. You can view CSG’s CSA STAR Level  2 Certification and CSA STAR Level 1 Self-Assessment  at the CSA STAR Registry Listing for CSG Enterprise Cloud Services.

CSG has achieved the Cloud Security Alliance (CSA) STAR Level 2: Certification and Attestation of which a third-party independent assessment was performed of CSG’s Enterprise Cloud Services. The CSA STAR Certification and third-party attestation means data is protected utilizing a secure framework designed for Cloud Computing and can assure customers of the strength of CSG’s Enterprise Cloud Services Security Framework. CSG performed the CSA STAR Level 1: Self-Assessment which documents CSG’s compliance with CSA published best practices.

PCI DSS is a widely known and accepted security framework that lays the foundation for protecting any systems and data that process, transmit or store customer’s payment card data, or that can affect the security of the cardholder data.

For more information about PCI DSS please visit https://www.pcisecuritystandards.org/.

CSG is certified as a PCI DSS Level 1, the highest level of assessment available. CSG is annually assessed for PCI by a highly respected third-party assessor. To support customers that process credit card data, CSG has implemented appropriate security controls on the CSG Platforms.

Through a year-round, continuous monitoring process of over 400 controls, along with annual security training for every employee, CSG continually strives to enhance our customer’s trust by protecting their data to the highest degree, particularly around payment card and other highly sensitive information. CSG has been PCI DSS certified since its inception.

For questions or to request more information, you can contact us here.

The Health Insurance Portability and Accountability Act (HIPAA) permits providers, insurance companies, other healthcare entities, and business associates to exchange information necessary for treatment, payment, and healthcare business operations. For more information about HIPAA, please visit https://www.hhs.gov/hipaa/index.html.

CSG acts as a business associate for its customers who are subject to HIPAA requirements and use one or more of the following CSG solutions which include the Design and Delivery Centers, CSG Ascendon, CSG Xponent, and Interactive Messaging. CSG maintains our HIPAA compliance program through a comprehensive set of policies, procedures and controls, that are continuously reviewed and updated.

For questions or to request more information, you can contact us at [email protected].

The General Data Protection Regulation (GDPR) is a regulation established by the European Union that establishes how organizations may process personal data while respecting individuals’ rights. The GDPR applies to organizations located both within and outside of the EU if they offer goods or services to, or monitor the behavior of, EU residents.

For more information on the GDPR, please visit the GDPR website at https://gdpr.eu/faq/.

CSG has implemented global policies and specific procedures that align with the GDPR for any services that process personal data related to EU residents.  Our GDPR program is continuously monitored and reviewed to ensure ongoing alignment with the regulations.

CSG’s security program is compliant with all legal and industry mandated information security requirements. CSG abides by all laws, regulations, and industry-mandated information security standards applicable to its duties and obligations related to information security for products and services provided by CSG.

CSG maintains a comprehensive security program based on ISO/IEC 27001, under which CSG implements and maintains appropriate physical, administrative, and technical safeguards designed to protect the confidentiality, integrity, availability, and security of the Service and customer PII (as defined below) (the “Security Program”).

CSG’s Security Program is subject to technical progress and development. CSG may update and modify its Security Program from time to time; however, those updates and modifications will not degrade or diminish the overall security of the Services.

Read more