As a PCI Compliant organization, we strive to keep your data well protected. Three of our major security categories are: PCI Compliance
, application security
, and system security
The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.
The PCI Security Standards Council’s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.
Our Security Team
Our security team meets weekly to discuss PCI changes, new found vulnerabilities, and areas for improvement. This team is comprised of our software architects, security certified engineers, support and network staff. We make our best efforts to take immediate action on our risks.
We routinely scan our services using McAfee PCI Certification Service. In addition, many of our customers routinely scan our services with their own trusted PCI partner. These scanning tools are continuously updated with the latest techniques. Any vulnerability findings from these scanners are immediately brought to the attention of the security team that decides the necessary appropriate response.
Role Based Security - Roles, Groups and Users
You have the ability to create an unlimited number of groups and users. These can be further coupled into a higher level, called "roles." When specifying permissions you first identify the role, group or user and then specify permissions to allow. For example, you can create a "Marketing Admin" role having the ability to create campaigns, change workflows, and be the only group that can change the status of a complaint to "closed." It's all under your control.
Every Object, Process and Field.
Each part of the system, each workflow, each process and each field can be secured with permissions that you define. With an initial installation, we will set these up for you based on your organization's rules.
How users authenticate into the application and their password requirements can be controlled from within the application. You choose:
- How frequently users must change their passwords.
- Password strength criteria
- How quickly an account will lock-out
- Employee Pin Quick Swap Rules
Credit Card and Sensitive Data
Based on your organization's preferred approach, we support two different methods to obfuscate/secure your data: Three-Tiered Encryption and Tokenization.
Three-Tiered Encryption is the process of placing the encrypted data directly in your database; however, the keys to the data reside in separate security zones. No single employee ever holds enough of the key to retrieve the data. In addition, we use only strong encryption with large keys making your data absolutely secure.
For our large clients, we tend to use a newer strategy of security called tokenization. Tokenization is the process of replacing key pieces of sensitive information with a token that is stored locally. The sensitive information resides on the token server which is in a separate network security zone. For more information on tokenization, see:Wiki Page for Tokenization
Server and Network Security
Your membership software resides behind a firewall and only those connected through the VPN can connect. Any system that can perform transactions against the membership system must have VPN connectivity to the membership web services. These services are an isolated part of the application and first require hardware and software based authentication prior to accessing the service authentication routine.