Security

Data security is extremely important to us. Our team is very security-oriented, and has a great track record at discovering and reporting vulnerabilities.

PCI DSS Compliance

ProcessOut is certified for PCI DSS Level 1 Service Provider, which is the highest possible level of PCI compliance. To be certified, ProcessOut is audited yearly in its offices by an independent entity.

All cardholder data we store is managed by a dedicated, completely separate infrastructure. We do not share credentials or encryption keys between environments. Our applications never manipulate credit card numbers directly, they can only ask to export data to external providers on a whitelist. We regularly review the payment providers on this whitelist to monitor their PCI compliance status and their security history.

We frequently undergo internal and independent penetration testing. For PCI DSS compliance, we also run internal and external network scans at least on a quarterly basis. This does not affect our reliability and is completely transparent to our customers.

Data Encryption

All customer data transmitted to ProcessOut is protected with TLS v1.2 with strong ciphers (more details here). We symmetrically encrypt data using AES-256 (GCM only) and Salsa20. We use RSA-OAEP (2048 and 4096-byte long keys) and elliptic curve cryptography (keys based on curves P-256, P-384, Curve25519) for asymmetric cryptography. For one-time authentication, we use the HMAC (HMAC_SHA-256/HMAC_SHA-512-256) and Poly1305 algorithms. ProcessOut only uses proven, robust implementations of these cryptographic algorithms such as BoringSSL and NaCl.

Encryption keys are protected using key-encrypting keys, which are in turn managed by hardware modules, with strong access control and auditing procedures. A data thief would not be able to use information from a database without having the key. We never store encryption keys on-disk, and machines that process the decrypted cardholder data cannot be reached via the Internet.

Please feel free to email us at security@processout.com for more details, we love talking security!

Security in Our Culture

ProcessOut nurtures a strong engineering culture, oriented towards security. We share this with non-technical employees as much as possible. ProcessOut has contributed code to some major security-related projects of the open-source ecosystem.

Through our operations we occasionally identify security vulnerabilities in other products. Our policy is to always coordinate disclosure these vulnerabilities to the concerned vendors. As a result, our engineers have collaborated with companies such as Apple, Microsoft, Stripe, Checkout.com or Etsy to research and mitigate security issues, some directly related to payments.

Security Researcher Acknowledgments

We sincerely appreciate the efforts of security researchers in making ProcessOut safer by finding and reporting security vulnerabilities. Each name listed represents an individual or a company who has privately disclosed one or more security vulnerabilities and worked with us to remediate the issue.

Roberto Urbanus

Security Researcher Acknowledgments

Please email us at security@processout.com to report security issues. We take security-related reports very seriously. We will get back to you under 24 hours. We ask that you do not disclose vulnerabilities publicly until we have addressed them.

Use the following PGP key for critical exchanges with our security team: