Security with PayFabric
At Nodus Technologies, we take security very seriously. Please review our protocol for maintaining security and reach out to us if you have any questions.
Certified for Security
PayFabric is PCI Service Provider Level 1 certified. This is the highest level of security for the payments industry which requires the best-in-class security practices to achieve. To view all of PayFabric’s validations, please visit: https://www.payfabric.com/us/pci.html
Secure Connections Using HTTPS and TLS
PayFabric uses the latest TLS (Transport Layer Security) protocol on all of its communications over the cloud and regularly audits its security methods.
Data Encryption
The PCI Council and the IT industry have revamped the process of encryption key management because the encryption algorithms, such as AES and Triple DES, are public and readily available to any attacker. The encryption key is the last defense.
PayFabric undertook the challenge and implemented its own state of the art storage algorithm in addition to following the PCI guidelines’ use of public encryption methods. This further enhances current compliance standards with added security so that even breaking the cryptographic protections would not allow the data to be reconstructed.
Disclosure of Vulnerability
If you believe that you have discovered a bug or break in the security of PayFabric, please contact us immediately at security@payfabric.com. We take all security issues very seriously and will respond to you as soon as possible. We request that you do not publicly disclose any issues with PayFabric until we have properly addressed it.
Integration Security Guidelines
To maintain PCI compliance for the communications between your customers and your server, follow the recommended best practices below.
Security with PayFabric
The Payment Card Industry Data Security Standards, or PCI DSS, are the requirements and regulations that every merchant who is processing, storing, or transmitting credit card data must follow. PayFabric makes it easy for merchants to set up a fully PCI-Compliant integration by following the steps below:
- Use the latest version of TLS.
- Use hosted payment pages from PayFabric to securely enter, store, transmit, and process card data directly without having the card data touching your own servers.
Using PayFabric hosted checkout pages and securing your payment pages over TLS will help you reduce the complexity of maintaining PCI Compliance. If you are storing and/or transmitting credit card data through your own servers, you will be responsible for implementing additional PCI DSS guidelines.
What is TLS?
HTTP is the communication protocol which transmits data between two end-points, such as between your clients/server and PayFabric. When HTTP communication is secured by an encryption protocol, it is known as HTTPS. In the past, the HTTP communication was secured and encrypted through SSL, or Secure Sockets Layer, protocol. With the increase in security, vulnerabilities were found within the SSL encryption protocol and it has now been replaced with TLS (Transport Layer Security).
From the customer’s perspective, internet users feel more secure when they can visibly see the HTTPS in the link. In addition, HTTPS ensures that the domain owner and the server owner are the same, ensuring that there is no “man-in-the-middle” trying to steal information.
How can I start using TLS?
To start using TLS, you will need to make sure your systems that are running the application that is connecting to PayFabric have TLS enabled.
If you are integrating with PayFabric from your website, first obtain a digital certificate that has been filed by a Certification Authority. These certificates vary in cost and usually include an installation guide from the provider to assist you with setting up HTTPS with TLS. You would also want to make sure that any additional resources that you use (JavaScript, images, CSS, etc) are also served over HTTPS. This will help you avoid any content warnings that may appear to your customers.
Non-Sensitive Data
Information like card type, the last four digits of the credit card and its expiration date is considered non-sensitive information and therefore not subject to PCI compliance. This information can be stored inside your database without interference to your compliance with PCI.
Content Security Policy
Utilizing JavaScript from other sites may increase your security risk because you are now dependent on that website’s security. If that website is ever compromised, an attacker may be able to deploy arbitrary code onto your webpages. This is something you should stay aware of and try to minimize the use of, especially on sensitive pages.
If you have any questions or concerns, please reach out to us at support@payfabric.com. For additional information, please visit the following websites:
National Institute of Standards and Technology: http://csrc.nist.gov/
