Security & Compliance
Why data security is critical for your Online Payments Platform?
Your online payments engine ties your product and/or services, your customers, and payments together. With critical information about your business processes and revenue flowing through, the security of the online payments system needs to be water-tight.
Your Online Payments Platform collects sensitive payment information and frequently collects personal information as well, for instance, full name, e-mail, phone number, organization address, billing address, card address, IP address, and other information collected by customer through custom fields, if any. You must ensure that all of the data collected will be handled safely and securely and will never be shared to anyone without their consent.
The processing of data via the provision of the Virtual EPS services
At Virtual EPS, we take data integrity and security very seriously. Due to the nature of the product and service we provide, it is important to acknowledge our responsibilities both as data controller as well as a data processor. We store, and process your data and that of your customers with care and help you be compliant, in order to continue to build trust while enhancing customer experiences by using the Virtual EPS services.
We help you assure your customers that their payment information and billing data are and will always be secured. The security we provide stems from the very system that handles all payments and customer data and is an essential part of our product, processes, and team culture.
Our facilities, processes and systems are reliable, robust and third-party tested. We continuously look for opportunities to make improvements and give you a highly secure, scalable system to provide a great online payments experience to your customers.
We assist you to provide a secure online payments experience at different levels by securing your customers’ payment and personal information in compliance to PCI and GDPR.
1. PCI DDS Compliance
Virtual EPS is committed to ensuring that your customers’ payment information is constantly protected, and thus the latter enjoy a superior online payments experience. This standard is reflected in the people, technologies, and processes we employ.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
PCI DSS applies to all entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD), including merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.
Virtual EPS ensures that your customers’ sensitive card information is encrypted and handled in a safe and secure manner.
2. GDPR
The General Data Protection Regulation (GDPR) (EU) 2016/679, is a regulation in European law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It became enforceable on May 25, 2018. It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR’s primary aim is to give individuals control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements related to the processing of personal data of individuals (formally called data subjects in the GDPR) who are located in the EEA, and applies to any enterprise—regardless of its location and the data subjects’ citizenship or residence—that is processing the personal information of individuals inside the EEA.
Our GDPR Commitment
The core of Virtual EPS internal operations underpins protecting the personal data of our customers. We only collect and store information that is strictly necessary to offer our Virtual EPS services, and we do this with the consent of our customers. Adding to this, our approach towards privacy, security, and data protection is totally aligned with the goals of GDPR.
Along with a highly secure and robust system architecture, we have a variety of security measures in place to prevent unauthorized access and processing of personal data. For more information about this measures contact us at support@virtualeps.com.
3. Physical and Network security
Virtual EPS uses Amazons AWS platform and infrastructure. Virtual EPS employees do not have any physical access to our production environment.
Cloud security is the highest priority at AWS. As an AWS customer, we are benefitted from a data center and network architecture built to meet the requirements of the most security-sensitive organizations.
In addition to physical security, being on AWS platform also provides us significant protection against traditional network security issues on the infrastructure including, Distributed Denial Of Service (DDoS) Attacks, Man In the Middle (MITM) Attacks, Port Scanning and Packet sniffing by other tenants.
4. Administrative Operations
We at Virtual EPS, use two-factor authentication to grant access for our administrative operations including both, infrastructure and services. Administrative privileges are restricted to very few employees, as per our internal policies. Additionally, both application level roles and AWS roles are used to ensure only required operations are allowed for specific users.
Any administrative access is automatically logged and mailed to our internal security team. Detailed information on when/why the operations are carried out are documented and notified to the security team before performing any changes in the production environment.
5. Host Security
SSH keys are required to gain console access to our servers and each login is identified by a user. All critical operations are logged to a central log server and our servers can be accessed only from restricted and secure IPs.
Hosts are segmented and accesses are restricted based on functionality. That is, application requests are allowed only from AWS ELB and database servers can be accessed only from application servers.
6. Application Security
Secure Access: Virtual EPS application servers can be accessed only via HTTPS. We use industry standard encryption for data traversing to and from the application servers.
XSS: All user input is properly encoded when displayed to ensure XSS vulnerabilities are mitigated.
CSRF: All POST requests are checked for CSRF token before processing the request.
SQL Injection: We use prepared statements for database access to avoid SQL Injection attacks.
Encrypted Data Storage: We do not store sensitive card details on any Virtual EPS network. The keys for various third party services (like payment gateway) are stored in our database only in an encrypted or padded form.
7. Vulnerability Scanning & Patching
We periodically check and apply patches for third-party software/services. As and when vulnerabilities are discovered we apply the fixes. We do periodic vulnerability scanning.
8. Data Storage & Redundancy
We use Amazons RDS for our database. The automated backup feature is configured for RDS. We backup data for up-to 30 days. We have configured Amazon RDS in Multi-AZ which provides enhanced availability and durability. Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable.
9. Monitoring
We use both internal and multiple external monitoring services to monitor Virtual EPS. Our monitoring system will alert the Operations & Security Team through emails and phone calls if there are any errors or abnormality in the request pattern.
10. Disclosure
We are working continuously to make our system secure. If you face any security issue, please report it immediately to support@virtualeps.com. We will make sure the issue is fixed and updated the soonest possible.
We take security as our highest priority.
Last updated 9 October, 2021