Security and Compliance
Security and compliance is of utmost importance to everything that happens at App55.
We started with a clean-sheet back in late 2010 and have designed in the latest security features and procedures:
- External and internal encrypted communications (HTTPS, TLS).
- Strong encryption of vital data (TripleDES and SHA-256).
- Security Information and Event Management (SIEM) system that continuously monitors and analyses any activity on the servers.
- Intrusion Detection System (IDS).
- Web Application Firewalls (WAF) that protect the front-end servers against known attacks: code injection, cross-site scripting (XSS), cross-site request forgery (CSRF), probing, bad user agents, etc.
- Hardware firewalls with strict rules.
- Network segmentation: the payment card details are processed and stored in dedicated network segments with enhanced security.
- Monthly vulnerability scans of the servers and network.
- Intrusion Prevention System (IPS).
- Dedicated hardware firewalls.
- Drastic internal security policy: the data never leaves the servers.
We are always looking for ways to improve and if you think you may have a security suggestion or problem or have any questions then contact us straight away at firstname.lastname@example.org.
App55 employs external and approved QSAs and is fully PCI compliant. Our partners, such as CardSave.net, are some of the largest PSPs (Payment Processing Providers) in the world. We also host with iNetU, a fully PCI compliant hoster.
If you would like to find out more on PCI please refer to: https://www.pcisecuritystandards.org/, or a merchant friendly version of this information on the WorldPay website: http://www.worldpay.com/saferbusiness/zone-one.html. Alternatively, please read about our partners.
App55 uses HTTPS and SSL certificates for all of our internal and external services.
We recommend that you have SSL setup on your own website.
Strong Data Encryption
Confidential data such as passwords, cardholder data Payment Card Number (PAN), and crypto-keys are strongly encrypted (using TripleDES and SHA-256) before being stored in a database or a key store.
The PAN is encrypted using a strong Password Based Encryption (PBE) algorithm. The password, or crypto-key, is chosen randomly from one of the thousands of long keys stored in the card database. A random salt is added and one thousand encryption iterations are applied to ensure a strong encryption.
The crypto-keys used to encrypt cardholder data are also encrypted and stored. Again, a strong PBE algorithm is used with a random salt and one thousand iterations are applied. The master keys are read from a secure key store that is kept on a separate machine.
All communications to the production environment are encrypted with HTTPS/TLS (128-bit and above). This rule applies not only to the external connections (gateways, mobile applications, etc.) but also to the internal connections (between application tiers). Certificates are used on all servers to ensure mutual authentication of the servers.
Protection against Attacks
The servers are protected by dedicated hardware firewalls. The first tier servers which host the web-services also host the Web Application Firewalls (WAFs). These analyse all requests sent to the servers for known attacks.
The PCI compliant environment includes an Intrusion Detection System (IDS) and a Security Information and Event Management (SIEM) system that continuously monitors the servers.
If you think you have an issue please get in touch with us at email@example.com. We will review your issue as soon as possible, so please include all of your contact details. Email is not 100% safe, so be careful not to include any confidential details.