Server and Data Security
From the beginning, Payment21® developed its system with the PCI DSS requirements in mind. However, Payment21® is not obligated to follow the PCI DSS Standards since we are not processing credit card payments. Nevertheless, Payment21® abides by the standards of Visa and MasterCard voluntarily. All servers are stored in a fully PCI DSS-compliant datacenter.
The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide safety norm defined by the Card Industry Council. The standard was created to help payment card industry organizations that process card payments prevent credit card fraud through increased controls around data and exposure to compromise. Validation of compliance can be performed either internally or externally, depending on the volume of transactions the organization is handling but, regardless of the size of the organization, compliance must be assessed annually.
The council that develops and monitors these regulations is comprised of the leading providers in the payment industry: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International. They define the best practices for storing, transmitting, and handling of sensitive information over the Internet.
In a growing effort to preserve the integrity of personal information, the PCI Security Standards Council has put forth a series of regulations that online businesses must follow to ensure the security of online shopping. Payment21® has met and surpassed all standards outlined by the PCI Security Standards Council. Not only did we invest in state-of-the-art network security software, but we have proven that our security management, security policies, network architecture, and software design are protected and free of any vulnerability that may hinder your online business.
Currently, we are certified by Comodo's Web Inspector malware detection service protecting online businesses and their customers from viruses and fraud. To comply with the Comodo's Web Inspector service standards, we must meet all of the fraud prevention requirements on a daily basis.
We work tirelessly to ensure that every aspect of our network is maintained and managed to premium levels. The role of a superior financial data service provider is a challenging one, but it is a challenge to which we always rise. Our technical team updates our security infrastructure daily. We also monitor it manually to ensure that there are no unforeseen or yet unknown threats to our systems in our datacenter. We are here to safeguard your much-valued data against fraud. With properly maintained firewalls, encrypted data and premium antivirus software, you can rest assured that we take all the necessary steps to ensure that customers can use our services with confidence.
All processing and storage is managed by a professional datacenter in a well-regulated and reputable European jurisdiction. The building is located in a superb geographical position on a small hilltop between two ridges. This datacenter provides security and stability with the following features:
- Redundant Air Conditioning.
- Uninterrupted power supply (UPS) is through APC Schneider Electric and is tested regularly by the control unit and serviced annually by the manufacturer.
- In the event of lengthy power interruptions, the emergency power supply (a diesel engine with 270kVA output) takes over. The system is tested once a month by running it for 30 minutes, providing 80% of the energy required. Twice a year, the system tested for 30 minutes at full load.
- Security is ensured 24/7, 365 days a year via CCTV cameras located in the entrance area both inside and outside as well as in the floor.
- A locking and electronic access system is installed which enables access to different areas.
- The building is protected by a fire alarm system with separate fire detectors in each area.
- Originally, the building was set up for civil defense, meaning it is very solid and earthquake-proof.
- All windows are highly protected.
Encypted Data: TLS and SSL
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet. TLS and SSL encrypt the segments of network connections above the transport layer, using asymmetric cryptography for privacy and a keyed message authentication code for message reliability. There are several versions of SSL, with Version SSL 3.1 being the same as TLS 1.0. The TLS protocol allows client/server applications to communicate across a network in a way designed to prevent eavesdropping and tampering. When you login to Payment21®'s website you will see in the URL something like https://www.Payment21.com/... (Where the "s" after "http" denotes it is secure). The whole Website uses the “https” protocol, which guarantees that any information passed over the Internet is processed safely protecting users from man-in-the-middle attacks.
Bank Grade Security
Payment21® uses a two-step authentication and authorization process that is safer and more secure than authorizing credit or debit cards. The system processes transactions with bank-grade security.
Transaction security is based on masking. With Payment21®, none of the user’s banking information is publicly transferred, released, captured, copied or transcribed during a transaction. The servers are protected with firewalls and premium antivirus software.
Payment21®'s fraud prevention services include a multitude of simultaneous screening techniques. We offer one of the most comprehensive verification systems available today. To keep the return rate low, Payment21®’s risk management exercises strict rules, automatically blacklisting any fraudulent account or any account of users with suspicious activity. Many of the security features run invisibly in the background, providing customers with a smooth payment experience while discreetly separating the good from the bad:
- Device detection applies a set of business rules and velocity limits to determine whether the computer or phone used by the user is on the 'block list' of known bad devices
- Blocking any transaction with a user who has Payment21®’s internal high-risk rating with past 'decline' result or rejected transactions
- IP filtering - this enables Payment21®’s system to link unrelated accounts and behavior to one source IP address and block use from unsupported or high-risk areas. It also helps to identify anonymous proxy IPs and transactional anomalies before they impact the business.
The bottom line is that Payment21®’s state-of-the-art fraud prevention solution monitors and rejects suspicious transactions before the payment ever reaches our backend application and consequently the banking network. To successfully manage risks, Payment21® acts as an intermediary for secure settlements on the one hand, and on the other hand functions as the doorkeeper for financial institutions, ensuring bank-grade security.
Mitigation and Mediation
As a basic security principle to guarantee the integrity of the Payment21® network, deposits to the Web Service are final, as are transactions through Payment21®. However, Payment21® supports dispute resolution between users in particular circumstances. Almost exclusively, transactions inside the network qualify for mediation. As a general rule, debtor banks executing transfers initiated through the Web Service are not affected by fraud issues. To lower the possibility of payment disputes, Payment21® uses a variety of tools and technologies such as validation software, verification services, authentication tokens, authorization methods and mitigation processes. This is not only to prevent fraud but also to eliminate money laundering or any other systematic abuse.