We understand that we’ll holding a lot of sensitive information and funds of both our users and partnering venues, so we’re really hot on security. We work closely with Braintree Payments (a part of Paypal) and Cashflows who have provided us with the following information about the security that we have in place:
Braintree is a validated Level 1 PCI DSS Compliant Service Provider. We’re on Visa’s Global Compliant Provider List and MasterCard’s SDP List.
We never store raw magnetic stripe, card validation code (CAV2, CID, CVC2, CVV2), or PIN block data. Storage of this data is prohibited by the PCI DSS.
Cardholder data is stored using one of the most advanced encryption methods available. We use multiple encryption keys which are stored on different physical servers. A data thief would not be able to make use of information stolen from a database without also having the key. The data store where cardholder data is kept cannot be connected to via the internet.
We require all users to authenticate each time they use the application and inactive sessions time out after 15 minutes. Passwords are never stored directly in the database, but are salted and hashed using a slow hash function to increase security. In addition, all communication between merchants and us is conducted in a secure fashion using SSL.
We have high redundancy onsite and offsite. Onsite data is mirrored on individual servers using RAID and is also hot synced between servers. Data is also encrypted and backed up off site with an undisclosed third party.
We have geographically diverse data centers.
We maintain 99.99% uptime and guarantee 99.5%.
All activity by our users or internally by our employees is extensively logged in a tamper-proof fashion. In addition to having a Web Application Firewall, we engage in the practice of extensive internal code reviews of all the software we develop.
At least quarterly, we conduct automated vulnerability scans. In addition, at least once a year we have extended external penetration testing conducted by outside sources.
Our network has been set up in a secure fashion with minimal access to outside networks. Only VPN access is allowed to our servers from whitelisted IPs. Internally, we use segmented networks so only servers which work together can communicate with each other.
We facilitate secured patching and software updates of all our systems, including watching numerous online resources for the latest vulnerabilities.
All of our employees undergo background checks as well as training on relevant security matters that pertain to their job. We also provide guidance to merchants on how to securely interact with our services.