Skip to main content

Merchant Data Storage

Updated

We did our due diligence to ensure all Merchant Service Providers are compliant with the latest security and data storage protocols. Please review supporting documentation from each Merchant.

 

   Merchant                                                                                                  Data Storage

PAYA https://support.paya.com/44519-pci-compliance-faq/309899-is-paya-pci-compliant?from_search=142891874
WORLDPAY https://www.worldpay.com/en/privacy
CARDKNOX https://www.visa.com/splisting/viewSPDetail.do?spId=4254&coName=CardKnox%20Development%2C%20Inc&HeadCountryList=UNITED%20STATES%20OF%20AMERICA&reset=yes&pageInfo=1%3B30%3BASC%3BcoName
AUTHORIZE.NET https://www.authorize.net/about-us/dpa.html
FISERV  
SOLUPAY "As a QSA-audited Level 1 Service Provider, Versapay meets the PCI-DSS requirements for secure data processing and storage as established by the PCI Council. Versapay’s direct integrations with leading payment processors allows us to utilize their encryption and cardholder data storage vaults for many portfolios, as well as our own encryption and tokenization solutions for others."
REPAY
  • Using encryption protocols like TLS, IPSec, VPNs when transmitting data over public networks. This helps secure data in transit.
  • Limiting storage of payment card information and other sensitive data to only what is necessary for legitimate business purposes. Reducing the amount of data stored lowers security risks.
  • Regularly scanning systems to ensure secure configurations for network services like strong encryption algorithms and protocols. This helps patch any vulnerabilities.
  • Complying with applicable laws and industry security standards like PCI DSS which mandate safeguards for payment data. Following established guidelines is important.
  • Restricting access to sensitive data only to authorized personnel. Proper access controls help prevent unauthorized viewing or modification of information.
  • Retaining data for required retention periods before secure deletion. This helps ensure compliance while minimizing long-term risks from disused information.
FORTISPAY
  • Access Control & Monitoring - Data access control is governed by strict least-privilege methodology. All access to data and associated resources are log and monitored
  • Data Storage and Location - Fortis utilizes AWS for it's data storage infrastructure. All data storage locations are kept with the US.
  • Data Backups - We ensure that data is backed up across multiple locations and can be retrieved within our recovery time objective if a failure does occur.  Backups are segregated via access controls and encrypted using Advanced Encryption Standard (AES) algorithm with a key size of 256 bits.
  • Encryption-at-rest -We use the Advanced Encryption Standard (AES) algorithm with a key size of 256 bits and with a unique and proper encryption key rotation policy for each data store.
  • Encryption-in-transit - All of our communications at transit external or internal are done via secure and encrypted channels.  Encrypted channels use TLS 1.2 or greater.
  • Physical Security - Fortis utilizes AWS for it's data storage infrastructure. As such all physical security measures are maintained by AWS, see  https://aws.amazon.com/compliance/data-center/controls/
AFFINIPAY

https://www.affinipay.com/terms/privacy/
STRIPE https://stripe.com/guides/pci-compliance & https://stripe.com/privacy

Related articles