Security
We use eKashu to process your financial
data. eKashu are a payment gateway operated by CreditCall
Communications Ltd. They are certified as a Level 1 compliant
provider under the Payment Card Industry Data Security Standard (PCI
DSS). This is the highest level of compliance.
CreditCall is
independently audited annually by a Visa Qualified Security Assessor
(QSA) and is subject to rigorous security vulnerability scanning
every three months.
Please see
http://www.ekashu.com/pdf/PCI_Certificate_CreditCall.pdf
for their PCI DSS certificate of approval.
You can confirm
CreditCall’s approval status on the Visa Europe website at:
http://www.visaeurope.com/documents/ais/service_providers.pdf?d=020307
What is PCI DSS?
The current PCI
DSS is the harmonisation of standards originally written by Visa and
MasterCard International in order to establish a standard set of
requirements throughout the payment card industry. The standard is
applicable to all merchants and payment gateways that store, process
or transmit cardholder data.
- Install and maintain a firewall configuration to protect data
- Do not use vendor-supplied defaults for passwords or other security parameters
- Protect stored data
- Encrypt the transmission of cardholder data and sensitive information
- Use and regularly update anti-virus software
- Develop and maintain more secure systems and applications
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security to build and maintain a secure network
- To protect cardholder data
- To maintain a vulnerability management program
- To implement strong access control measures
- To regularly monitor and test networks
- To maintain an Information Security Policy
Your personal data such as your name,
address and phone number are not protected in the same way as your
financial data. This kind of data is the same kind that is widely
publicly available in such mediums as the phone book; it is not felt
that it warrants the same level of security as your financial data.
Your personal data is protected by the password that is generated by you when you create your account. You are free to change your
password or to delete your personal data at any time.
Your
website resides on a secure server cluster. A short summary of the
security precautions in place to secure these servers are as follows:
- Server cluster protected by a dedicated hardware firewall
- Server cluster is divided into tiered layers of network security for a 'defense in depth' strategy
- Server cluster passed vulnerability scans conducted by Ambiron TrustWave's Truskeeper compliance solution Sensitive server software protected by file integrity monitoring Administrative access to server cluster strictly controlled
- Server cluster physically located in a data center that has passed the prestigious SAS 70 audit
- Server security logs are monitored daily by a human being to look for any signs of attack.
For
technical details on the methods used to secure you data, you can
reference the Payment Card Industry Data Security Standard here:
www.pcisecuritystandards.org/pdfs/pci
