Why does data security matter to your business?
It is very important to keep sensitive cardholder data away from would be criminals. The payment card ecosystem describes the relationship between you, your customers, and the rest of the payment card industry; ensuring the safety and security of your customer’s financial data is the first step in making sure that you stay compliant and trusted by the rest of the ecosystem.
If cardholder data leaks, there are ramifications throughout the payment card ecosystem; customers lose faith in your business and in other financial institutions. A loss of credibility results in customers taking their business elsewhere and ultimately affecting your profit margins.
Payment Express believes in continually staying ahead of the game when it comes to data security, while your current integration may work now, if Payment Express deprecates certain cipher suites or protocol versions, you will no longer be able to process payments. To ensure that your integration remains stable, secure and PCI compliant, please follow the best practice guidelines below and keep up to date with upcoming changes.
Transmission best practices
1. Secure HTTP connection
Payment Express mandates the use HTTPS. Designed to allow secure authentication and data transactions, HTTPS uses SSL/TLS to ensure data transactions are made securely. HTTPS is commonplace for online banking portals, ecommerce sites, and almost anything requiring a username and password. Using HTTPS adds a layer of security to keep your customers’ data from being sent in plain text over the internet.
Normal HTTP connections are done via port 80; secure HTTPS connections are done using port 443.
2. Use TLS 1.2 or later
TLS 1.2 is the latest in the TLS/SSL cryptographic protocols and ensures the privacy of data transmissions. Older protocol versions have known vulnerabilities and have been deprecated.
3. Don’t hardcode ciphers
Hardcoding specific ciphers exposes your website to risk in the future; some ciphers are currently considered secure, however in the coming months or years, they may be proven unfit for use. To ensure that your cipher suite is appropriate, it is recommended that ciphers are not hardcoded.
4. Automatic negotiation to the highest TLS and cipher version
It is recommended that you automatically negotiate to the highest TLS and cipher versions to account for changing protocols. Ensuring that your site can handle later versions will mitigate the need to update the site in the future.
5. Use SHA256
The use of SHA 1 is not recommended; instead, all merchants should use SHA 256. If your website is using SSL certificates that utilize SHA 1, you will need to move to the much stronger SHA 256 signing algorithm.
6. Allowing Perfect Forward Secrecy
PFS prevents a compromised long-term secret key from being used to access past or future communications. If PFS is not implemented and a single transmission is compromised, past and future communications may be at risk as well.
7. Keeping software up to date to support new TLS versions and/or ciphers
It is important to keep all software up to date and ensure that new TLS versions and/or ciphers are supported. As older versions are deprecated, your integration with Payment Express may be put at risk, to ensure that your site can communicate with us please make sure that only approved versions are used.
Data storage best practices
1. Don’t physically store card data.
Storing any physical card data exposes your business to a greater level of stringent PCI requirements and opens you up to the risk of attack from criminals. To reduce the level of security mandated by PCI and remove the temptation for hackers, no financially sensitive card data should be stored in any format.
2. Ensure that no one can modify POS to read the card data.
It is important to keep an eye on all Payment Express provided software to ensure that no recording devices have been attached and that there are no cameras nearby. Payment Express utilizes point to point encryption, so an attack will be unsuccessful once the card data has been picked up by the terminal, however it is still possible that cardholders are exposed to risk as they input their PIN etc.
Tokenization generates a re-billable reference to a customer’s card, which can only be used by the merchant. This allows merchants to effectively store card details without needing to meet the much higher data security standards mandated by the PCI SSC.
Certification and Security at Payment Express
Payment Express prides itself on being able to provide merchants and cardholders alike with secure and reliable payment solutions. To guarantee the best protection of stakeholder information, Payment Express is compliant to PCI DSS Version 3.2 and is a Level 1 service provider. Payment Express is re-evaluated annually to ensure ongoing compliance.
The Payment Card Industry Security Standards Council established in 2006 by several leading card issuers: Amex, Discover, JCB, MasterCard, and Visa. The PCI Data Security Standards are set and enforced by the PCI SSC and ensure the secure and safe use of sensitive cardholder data.
Payment Express is PCI compliant throughout our regions of operation:
Payment Express has PCI P2PE compliance; this ensures secure point-to-point encryption of sensitive data from card swipe to billing.
The Payment Express e-commerce solutions, PxPay and account2account are both level AA compliant to the WCAG Accessibility Standard.
Payment Express have a dedicated and purpose built development and data centre, specifically designed for payments processing. We have invested and continue to re-invest in state of the art, bank grade security and infrastructure, and are fully certified as Visa AIS and MasterCard SDP (PCI DSS) compliant at processor level; using an approved QSA for quarterly scans on systems and full onsite audits, annually. All sensitive information is encrypted with the 3DES protocol, with Atalla Network Security Processors.
To stay up to date with changes at Payment Express please see our upcoming changes.