PayJunction Security Overview
PayJunction's commitment to security is of the highest level. We use the highest level of encryption and the latest security tools to ensure that our merchants and customers feel secure. We would like to highlight some of the key features of our security.
To verify that PayJunction is Level 1 PCI Compliant, please visit Visa's Global Registry of Service Providers, then search for "PayJunction".
What level of encryption does PayJunction use?
All of PayJunction's processing uses prioritized encryption of TLS 1.2 with 256 bit encryption if the client connection will accept it. If not, PayJunction will allow TLS 1.1, followed by the minimum grade security of TLS 1.0 with 128 bit encryption as a last resort. Any attempted connections using lower security standards are explicitly blocked by PayJunction.
For new customers wanting to connect, PayJunction requires TLS version 1.2 to comply with the update to the Payment Card Industry Data Security Standard (PCI-DSS) requirement scheduled for June 2018. It is our hope that this will encourage developers integrating our secure gateway service to be as secure as possible on their end to protect our mutual merchants' and their customers' sensitive data.
What is TLS? Is this different than SSL?
In order to protect your data from unauthorized third parties, client software such as your web browser will encrypt the data before sending it. This is accomplished by the client (your web browser) and the server (the PayJunction gateway) agreeing to encrypt the connection while they communicate. The modern and secure protocol for performing this encryption is called Transport Layer Security (TLS) and is the successor and replacement to the older Secure Socket Layer protocol (SSL) which is no longer considered secure. Due to SSL being the standard for many years, and for the sake of simplicity, "SSL" is usually used to refer to the use of encryption regardless of whether it is the TLS or SSL protocol being used. In other words, SSL is the old word for TLS.
What is PCI and the PCI-DSS?
Prior to 2004, each of the major card associations (Visa, MasterCard, Discover, American Express, and JCB) had their own security standards for protecting card holder information and preventing fraud. The Payment Card Industry Security Standards Council, a global open organization, was then formed to create one security standard for all merchants and service providers transmitting cardholder data. This is known as the PCI-DSS (Payment Card Industry Data Security Standard). On December 15, 2004 version 1.0 of the PCI-DSS was released by the Council. As technology and threats evolve new revisions of the PCI-DSS are released by the Council.
There are 12 top level requirements under the PCI-DSS every business must comply with:
Build and maintain a secure network
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks (e.g. internet/World Wide Web)
Maintain a vulnerability management program
- Use and regularly update anti-virus software on all systems commonly affected by malware (e.g. PCs and servers)
- Develop and maintain secure systems and applications
Implement strong access control measures
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
Regularly monitor and test networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an information security policy
- Maintain a policy that addresses information security
Depending on the revision and compliancy level of an entity, there will be sub-requirements for each of the above top level requirements. PayJunction is proud to be Level 1 PCI Compliant, which is the highest level of compliancy for a Service Provider under the PCI-DSS. Every year PayJunction is independently audited by third-party assessors to validate this compliancy level.
For more information on PCI, the PCI-DSS and the PCI Security Standards Council please visit the official PCI website: https://www.pcisecuritystandards.org