PCI Compliance27 May 202611 min read

NYDFS 23 NYCRR 500 for Payment Companies

If New York's Department of Financial Services has authorized your business, 23 NYCRR 500 sets the cybersecurity bar — and the 2023 and 2024 amendments raised it significantly. Here's what's in scope, what's new, and where phone payments fit in.

By Paytia Editorial Team
NYDFS 23 NYCRR 500 for Payment Companies

If your business holds a licence from the New York Department of Financial Services — a money transmitter licence, a bank charter, an insurance authorisation — then 23 NYCRR Part 500 is your cybersecurity rulebook. It's been law since March 2017, and the amendments rolled out in November 2023 and April 2024 turned it from a check-the-box exercise into one of the more demanding cybersecurity regimes in US financial services.

This piece walks through what the rule actually says, who it applies to, what changed in the amendments, and where phone payment workflows fit into the picture.

What NYDFS Part 500 is, in plain terms#

Impressive cityscape of New York City featuring the iconic One World Trade Center amidst modern skyscrapers.

23 NYCRR Part 500 is a regulation issued by NYDFS that requires "covered entities" to design, implement, and maintain a cybersecurity programme that protects the confidentiality, integrity, and availability of their information systems. It applies to any person or entity operating under a licence, registration, charter, certificate, permit, accreditation, or similar authorisation under New York banking, insurance, or financial services law.

In practice that means:

  • State-chartered banks and trust companies
  • Insurance companies and producers authorized in New York
  • Money transmitters
  • Mortgage bankers, brokers, and servicers
  • Virtual currency businesses (BitLicensees)
  • Payment processors and other licensed financial service businesses

If you're a federal bank or a federally chartered credit union, you're not covered — your regulator is the OCC or the NCUA. If you're an out-of-state company that doesn't hold a New York licence, you're not covered. If you're a vendor to a covered entity, you're not directly covered, but the covered entity has to manage you under Section 500.11 (third-party service provider security).

The core requirements#

The original 2017 rule set out a lengthy list of programme requirements. The headline ones:

  • Written cybersecurity programme. Based on the entity's risk assessment, addressing identification, protection, detection, response, and recovery.
  • Chief Information Security Officer. Either an in-house CISO or one from an affiliated entity or third-party service provider.
  • Penetration testing and vulnerability assessments. Annual pen tests, biannual vulnerability assessments.
  • Multi-factor authentication. For access to non-public information from external networks.
  • Encryption. Of non-public information both in transit and at rest, unless infeasible (in which case alternative controls).
  • Incident reporting. Within 72 hours of determining that a cybersecurity event has occurred — this was already faster than most US breach laws.
  • Annual certification. The senior officer or board has to certify compliance once a year.
  • Third-party service provider security policy. You're on the hook for the cybersecurity practices of your vendors.
  • Application security, access controls, audit trails, training. The usual programme bones.

What changed in 2023 and 2024#

NYDFS amended Part 500 in two phases. The first batch of changes took effect on 1 November 2023; the rest came on 29 April 2024. The amendments significantly raised the bar.

Governance. The board (or equivalent governing body) now has to have sufficient understanding of cybersecurity-related risks to exercise oversight. The CISO has to report to the board at least annually on the programme, material risks, and any plans to remediate inadequacies. Senior governing body approval of the cybersecurity programme is required.

Class A companies. A new category for larger entities — defined by employee count and revenue thresholds. Class A companies face additional requirements: independent audits of the cybersecurity programme, automated scanning, password vaults, and stricter access controls.

Automated vulnerability management. Continuous scanning rather than the old biannual cadence, especially for Class A.

Ransomware-specific obligations. The reporting trigger now explicitly includes deployment of ransomware within a material part of the covered entity's information systems. Ransom payments require their own notification.

Privileged access management. Tighter rules around privileged accounts — limiting them, monitoring them, applying MFA, removing them when they're no longer needed.

Asset inventory. Covered entities must maintain a documented inventory of information systems.

Tightened MFA. MFA is now required for all individuals accessing any information systems of the covered entity, with limited exceptions approved by the CISO in writing.

Where phone payments fit in#

Phone payments aren't called out by name in Part 500, but they bring all the usual elements within scope of the rule:

  • Card data is "non-public information" — so the encryption rules apply
  • Contact center systems are information systems — so they need to be inventoried, monitored, and access-controlled
  • Agents accessing payment systems need MFA
  • Call recordings that contain card data are sensitive material — they need protection both in transit and at rest
  • Your payment gateway is a third-party service provider — you owe due diligence and contractual safeguards under Section 500.11

The traditional model — agent listens to a customer read out their card number, the call is recorded for QA, recordings sit in storage for months — fails several Part 500 tests simultaneously. The recordings contain non-public information that often isn't encrypted properly. The agent's environment is full of card data they don't need. The blast radius of a single compromised credential covers a huge chunk of your card data estate.

DTMF masking shrinks that surface area. Card digits are masked from the agent and never written to the recording, which makes the encryption and access-control story dramatically simpler. You can still meet your QA obligations — agents are still on the call, the conversation is still recorded — without the card numbers being part of the asset you have to protect.

The enforcement picture#

NYDFS has been one of the more active US regulators on cybersecurity. A few cases worth knowing about:

  • First American Financial — $1 million in 2023 over a vulnerability that exposed mortgage documents containing sensitive personal information.
  • EyeMed Vision Care — $4.5 million in 2022 over a phishing attack and the failures in MFA and access controls that allowed the attacker to access mailboxes containing consumer information.
  • Robinhood — $30 million in 2022, covering cybersecurity, AML, and consumer protection failures.

The pattern across these cases is consistent: NYDFS is willing to fine on the basis of programme failures, not just on actual harm. If your MFA was inadequate, your encryption was inconsistent, or your incident response was slow, those are the things the regulator focuses on.

The 72-hour reporting clock#

One of the most operationally demanding parts of Part 500 is the 72-hour reporting requirement. The clock starts when you determine that a cybersecurity event has occurred — not when you've finished investigating it, not when you've decided how serious it is.

That has design implications for how you set up your monitoring, your escalation path, and your relationship with vendors. If your payment processor finds something suspicious on Friday afternoon, you need a route for that information to reach your CISO and then NYDFS before Monday morning runs out. Service-level expectations in your processor contract should reflect that.

The 2023 amendments added an additional 24-hour notification window specifically for ransom payments. If you pay a ransom, you've got 24 hours to tell NYDFS, plus 30 days to provide the reasoning, alternatives considered, and how you complied with US sanctions laws (because paying ransoms can trigger OFAC issues).

Where Paytia fits#

Paytia is a PCI DSS Level 1 service provider based in New York and the UK, certified since 2016, with over $500 million in card payments processed through our DTMF-masking platform.

For NYDFS-covered entities, we're a third-party service provider under Section 500.11. We don't replace your cybersecurity programme — your CISO still owns that — but we materially reduce the amount of card data sitting in your environment, which means fewer information systems, smaller recordings, less to encrypt, less to inventory, less to lose if something goes wrong.

If you're a covered entity and you want to talk through how a phone-payment workflow lands under Part 500 — including what diligence and contractual provisions you'd want — get in touch with our New York team.

Third-party service provider diligence in practice#

Section 500.11 has its own checklist that's worth pulling out. NYDFS expects you to have a written policy covering the identification and risk assessment of third-party service providers, minimum cybersecurity practices required of them, due diligence processes used to evaluate the adequacy of their practices, and periodic assessment based on the risk they present and continuing adequacy of their controls.

In practice this usually means:

  • An inventory of every vendor that touches non-public information
  • Contractual requirements covering encryption, MFA, breach notification timelines, and right to audit
  • Annual or risk-based reassessment of high-impact vendors
  • Documentation that the assessment actually happened — NYDFS examiners ask for evidence, not assurance

For a payment processor, this means your acquirer, your gateway, your DTMF-masking provider, and any other party in the payment chain all need to be evaluated and re-evaluated. A SOC 2 report from the vendor is a starting point, not the whole story.

The bottom line#

Part 500 isn't going to get easier. The amendments raised the floor and NYDFS keeps issuing guidance that fills in the corners. The covered entities that fare best aren't the ones with the biggest budgets — they're the ones that have made deliberate choices about which data they hold, where it sits, and who can reach it. Phone payments are a good place to start that conversation, because that's where a lot of unnecessary card data accumulates by default.

Related Articles

TCPA Compliance for Payment CallsGuide
PCI Compliance

TCPA Compliance for Payment Calls

TCPA exposure for payment-related calls is one of the most expensive compliance risks in US contact centers — $500 to $1,500 per call, uncapped, class-action eligible. Here's what the law actually says about collections calls, payment reminders, MFA-via-SMS and the rest.

Read more →
CCPA for Payment Processors: A Practical Guide
PCI Compliance

CCPA for Payment Processors: A Practical Guide

The California Consumer Privacy Act treats card data as personal information. If you've got Californian customers and any of three threshold triggers apply, you owe them rights you might not have built for yet. Here's what changes for payment workflows.

Read more →
50-State Data Breach Laws for Payment Firms
PCI Compliance

50-State Data Breach Laws for Payment Firms

Every US state has a breach notification law, and they don't agree on much. Federal layers stack on top. If you take card payments across state lines, here's how to think about your obligations when something goes wrong.

Read more →

Ready to take secure payments?

Book a demo with our team. We'll show you DTMF masking live, talk through PCI DSS scope reduction, and put together pricing based on your call volume.

PCI DSS Level 1
Cyber Essentials Plus
Book a demoContact us

Trusted by law firms, insurers, healthcare providers and regulated businesses worldwide. Learn more about Paytia