Payrix Security White Paper
This document summarises Payrix’s technical and organisational approach to security and compliance.
Access Management - Payrix Controls and Security
Payrix has a team responsible for overseeing operational security, network security, host and server security, applications and system development, patch and vulnerability management, authentication and remote passwords, encryption and monitoring systems.
Personnel Security
All offers of employment at Payrix are contingent upon a successful background check in accordance with applicable laws. This includes and is not limited to Police and Reference checks. Payrix will not continue the employment relationship if the background check results do not meet the standards established by Payrix. Employees and contractors are made aware of their responsibilities, including operational and security policies, as well as the repercussions for failing to adhere to the outlined responsibilities and policies.
Upon Hiring
Upon hiring, all employees and contractors undergo an onboarding process. This includes and is not limited to:
Complete the employment onboarding through security awareness training and security policy acknowledgement. This training assists new hires in understanding their security responsibilities as a Payrix employee or contractor.
Training on Payment Card Industry Data Security Standards
more info on PCI DSS found here - https://www.pcisecuritystandards.org/
Acknowledge and signing of the Payrix Confidentially Agreement as part of the employee onboarding process.
While Working for Payrix
Payrix manages internal security levels which include the use of the 'Least Privilege Access' principal and only allowing authorised staff access to the Database and/or Card Data environment. This access controlled environment uses a combination of tokens, passwords and Pins. Payrix Portal has auto lock out, strong password policies, Two-Factor Authentication (2FA) and required password resets. All access externally is locked down via VPN, Password manager, Domain level access and secure password access.
Two-Factor Authentication (2FA) is mandatory for Payrix staff on the Portal, CRM, VPN's and mandatory for Partners and Merchants to access the Portal.
Data and Network Security
Access to Payrix facilities are restricted using security controls such as key / tag access. Key or tag access are only distributed in accordance with organisational requirements. The access control system utilises individual badge identification with doors protected by an electronic badge reader.
Payrix implements the use of policies, procedures and technical controls to restrict installation of unauthorised software on organisation owned or managed endpoints. Installation of personal software is not allowed.
Access to Payrix’s operating systems are limited to those individuals required to support the system. Servers and workstations are enabled with auto-locking (password-protected) that activate after a period of inactivity.
Payrix managed endpoints are fitted with up-to-date Anti-virus and Anti-malware software, along with the use of Firewalls.
Payrix scans incoming emails and attachments prior to allowing them into the Payrix environment. The use of industry leading software allows Payrix to control what files are allowed or blocked as attachments to protect against malicious executable files being delivered and/or opened.
Provide separate production and sandbox environments, for development and testing purposes.
Business Continuity and Disaster Recovery
Payrix implement the use of Business Continuity and Disaster Recovery plans should an unfortunate event happen to occur to ensure the preservation of Confidentiality, Integrity and Availability of Payrix systems. Payrix data is surrounded by an enterprise-grade, load-balancing, DDoS (Distributed Denial of Service) protection and encryption, all our payment information is secured, encrypted, and stored on isolated servers to ensure data is always protected and accessible with the use of 3 data centres.
Primary data centre
Our web applications, payment processing functions and databases run from here during normal operation with an independent hosting provider. This ensures all of our payment data is stored securely, with the ability to transmit any required information in real time.
Secondary data centre
A mirror image of the primary data centre with 'hot' standby servers is ready to take over whenever required, along with a secondary running instance of our core databases that are replicated from our primary data centre in real-time with a separate hosting provider.
Disaster recovery data centre
Virtual machine (VM) replication is used to continuously stream a replica of all Payrix's servers to this third data centre in a remote location. Our operation quickly switches to this data centre if the primary and secondary data centres are impacted by a disaster.
Within our Primary Data Centre, we acquire additional security to their highest level, including:
Security Intelligence - Security Information and Event Management (SIEM)
Vulnerability Assessment - Vulnerability monitoring, reporting and remediation.
Behavioural Analysis - Card Data Environment monitoring, traffic analysis and log management.
PCI-DSS Self-Assessment and Monitoring - SAQ portal and ASV scanning.
Threat Detection / Intrusion Detection - Compromise management using Network Intrusion Detection System, Host Intrusion Detection System and File Integrity Monitoring.
Anti-Virus - Anti-Malware, Ransomware and Virus protection.
Compliance
Payrix has proudly held level 1 PCI-DSS (Payment Card Industry Data Security Standard) compliance as well as an AFSL (Australian Financial Services License) since commencing activities in 2010 to give you peace of mind that your data is safe. In order to be Level 1 PCI-DSS Compliant, certification has to conducted by an authorised PCI auditor; we must undergo an internal audit once a year. In addition, once a quarter we must submit to a PCI scan by an Approved Scanning Vendor (ASV).
View our compliance certificate here: Payrix PCI Certification