Security at ProcessOut

Data security is extremely important to us. Our team is very security-oriented, and has a great track record at discovering and reporting vulnerabilities.

PCI DSS v3.2 Compliance

ProcessOut is certified for PCI DSS Level 1 Service Provider, which is the highest possible level of PCI compliance. To be certified, ProcessOut is audited yearly in its offices by an independent entity.

All cardholder data we store is managed by a dedicated, completely separate infrastructure. We do not share credentials or encryption keys between environments. Our applications never manipulate credit card numbers directly, they can only ask to export data to external providers on a whitelist. We regularly review the payment providers on this whitelist to monitor their PCI compliance status and their security history.

We frequently undergo internal and independent penetration testing. For PCI DSS compliance, we also run internal and external network scans at least on a quarterly basis. This does not affect our reliability and is completely transparent to our customers.

Data Encryption

All customer data transmitted to ProcessOut is protected with TLS v1.2 with strong ciphers (more details here). We symmetrically encrypt data using AES-256 (GCM only) and Salsa20. We use RSA-OAEP (2048 and 4096-byte long keys) and elliptic curve cryptography (keys based on curves P-256, P-384, Curve25519) for asymmetric cryptography. For one-time authentication, we use the HMAC (HMAC_SHA-256/HMAC_SHA-512-256) and Poly1305 algorithms. ProcessOut only uses proven, robust implementations of these cryptographic algorithms such as BoringSSL and NaCl.

Encryption keys are protected using key-encrypting keys, which are in turn managed by hardware modules, with strong access control and auditing procedures. A data thief would not be able to use information from a database without having the key. We never store encryption keys on-disk, and machines that process the decrypted cardholder data cannot be reached via the Internet.

Please feel free to email us at [email protected] for more details, we love talking security!

Security in Our Culture

ProcessOut nurtures a strong engineering culture, oriented towards security. We share this with non-technical employees as much as possible. ProcessOut has contributed code to some major security-related projects of the open-source ecosystem.

Through our operations we occasionally identify security vulnerabilities in other products. Our policy is to always coordinate disclosure these vulnerabilities to the concerned vendors. As a result, our engineers have collaborated with companies such as Apple, Microsoft, Stripe, Checkout.com or Etsy to research and mitigate security issues, some directly related to payments.

Security Researcher Acknowledgments

We sincerely appreciate the efforts of security researchers in making ProcessOut safer by finding and reporting security vulnerabilities. Each name listed represents an individual or a company who has privately disclosed one or more security vulnerabilities and worked with us to remediate the issue.

PGP Key

Please email us at [email protected] to report security issues. We take security-related reports very seriously. We will get back to you under 24 hours. We ask that you do not disclose vulnerabilities publicly until we have addressed them.

Use the following PGP key for critical exchanges with our security team:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGPT7SQBEADZgz/nrI9krj3vrJR+mIsNivIstcDK+OGtkSzf71Wb5XIn7Sdy
/NGULFILDGhSTw8579XMQgyzCEZTCwZPFhnFEogNwTdTdphMXpRvueFwi8c/wtaA
fmmyBXMAuh3pso85khc2/6KSt3tFLw38aAz+U+YF/6u9RQKgOF5hvtzYSVp3qLE5
5TQluZEkAVPoaIoSP/bIDqrI/KVr5irCVFkt+aB2VVeOmXK93CJozA+FqqzVszf0
Dr64FheevYCHvW0Gr4uh4QphZQ2fNKl+L0HMkT6aI0b1N6xrwatSzjxTwxAnhSLE
a7gWAVyk1YFkvSuuML/Tmdm7lJqkkNWXmaZunfUG1HDWUwRj4KTn2njHW/TvdKRu
Euf68lKR6eMRl9ujbj7EuYlMWSmC7ctMJ2JX8CQahIFcxX4gCqwVTsWI1UIM9+CU
kSN/btQIyQWqygH7xQgtCdvH7bCKPdGSE8YoEMzEUkxzUvH5WD8pY0p4Y2sBppir
OtPomLhrOMX1Kc84Yee+G5TX8uH5SeOcQCo08+UrkUp3J4g/a6+6K2EhM9Hv+pwA
z5HNjyMpdU+lMcOL8gZ8Rr4ff+2SCZXlmLLRbY1sXa7pgEyUyPDMK5CwB6eF1Yo2
9EUGGBwgUoTww/kHTCoZL/a5cUnk+JVbMrL0APXVHbcP9U2lUm2MVBwQcQARAQAB
tG1EYXRhIEltcG9ydCAtIFByb2Nlc3NvdXQgKEtleSB1c2VkIGZvciBzZWN1cmlu
ZyBkYXRhIGluIHRyYW5zaXQgcHJpb3IgdG8gaW1wb3J0KSA8ZGF0YS1pbXBvcnRA
cHJvY2Vzc291dC5jb20+iQJUBBMBCAA+FiEEgZ8n+KRDjO76dcdm+Eg2JotsMaEF
AmPT7SQCGwMFCQeGHs8FCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ+Eg2Jots
MaEccRAAg/3D0zMzG1L2cfzMZBB1ab9O2MnmbfIjh3yGOMN/XoFviJ1n/QYvwzFq
jI/w3Ni/2AdHuFI6yUN8vfmuWGI8Pj+IlTkEFmHaNxKapWSV5Wadvu6ZBqGL4pOV
/eLmZFocvN6IXUbN5dmxyndDE3HLAGv4aFexlhD5LVj52HMqaR6N/2Xz0CkCjvIp
dLke8I/spGP4ZOrlgLQa43r4Vz6X8+JsyI/ES5nxeH5R8KQ3VsWf/iuY8t+B4p+O
MB3m3du0EtPHLP6wfbF7PbVfTU2+ZMrT7W4DYi4k2DTbaO1YCIrf5tgPF5S2qulD
HN08IBzaUikYwFM3b8GU9pMhm2/Bigq16quP5FgtVwQn3YYBJ8vS3ZPbwMWyvQX+
8q3eJ3HOg2i8TrNtrKcEVZGRyU0aCIPQ9fjhbFwvF76LFEavbhzM/GZInrxs8BgQ
dPZHlKR12PE41dkd6CelnsSg6nOvYyFZyKM8QPSMVdK0bomSfsFMesfo6UtoeJTo
04zN4ZnYX2T/wSoUZmtXw2uba+Dv2BLuHRe0k0twXhOVOm0NFHjNGmOqkYrFzNSU
APpapSf+hMz9/sDTpiVjdF+u459Uf2+d49ZsoYhuSy91awGM3T8NUNBXI+6WkG5+
qt2yn7Wt5HAtI9a10D7TZNsbW1OnD1NY6Z5Uyd3R6jjffHcxM+K5Ag0EY9PtJAEQ
AKR1WqTrYy7nxGiwuPSFKfvOomSOOx5R1BiT2BFLurEDhAhCqvXNv+UVyaiPuyv1
WNrY4rFdOmkjaUmFvMH/OjzdJEoa9hjr6MKPjIjizwBxBMOBmP/PNIzXmufSfoq/
tE87L4hDmkQN32iodmLxheVhx60I68ewBlLL33YFvpe9Llfp2/xWoBDTTV0EsBXq
soxuZMbZ/09VjBmK7EYvnYGqt3A+c7z0xoGPzNlUIqv2c/IdZZtDVS+ZdT6S9Zee
VGBqdiRrVTQdrfYlTMCuYotATW9S+Am/JBXmEF+pEJsYo8b7wr9nKD7VvaDRovlv
/fM8qF93zldTK/V7thnS7sMiPyMiwQdS85rdbtMdBcLWl9k2rno8gfo2kmtsh7ct
Fg6Z3TBkrFc0PEX85MJRRu2uMuTfj4cDs6xo30iSzXys5FWP84BV4CjSoTEJ7KGn
JdEIVX1awfP/gNvlGTFOalIcXaTnnSf3IrCtVqJzJJcS8JkyA0m9+wFVm3tN31gL
qoLMf3sLDI0kBmfKWOBxX5crL85pZWYRoQIWdBNZgXMUypgvr5LmsGXm8UUnJ5bR
66/h1EkVeUNqcH/4EYjAaNrC141f86Y1vLV/8a8UaLitRIJH/MtwDsMHZMDTdagP
eCejSyh4vhUqmpWXGgfXTFT6YyTvvxqso/iinpPgYBPJABEBAAGJAjwEGAEIACYW
IQSBnyf4pEOM7vp1x2b4SDYmi2wxoQUCY9PtJAIbDAUJB4YezwAKCRD4SDYmi2wx
oZQsD/wJdXuDCzqXpvD0LjtIVVHTiCj1ByET2ei/g0dAqYkNbLuWX8KmpUJGzhKe
wtPOIZYaB4RhdSX5H3I/6KzKd9lAXnwbfIrB0w2ankmnZglAoIPa+jpiCPJ4QQAs
Wz4pJ9npNBNW79Dbtdq8+IkHzxAJ74O5buaa1DRPYod+WVN/GLMKRIiMmk2JnmKx
MPQE1YgXDLCNGO57xy7pt4TtZAWn0O/QwakELm093+cqyWlLzLa5yBlbnj+mXszd
88ec5CG6zlDLKvxj3WE81q1d3Io+0T9og96FtlK5IPi1lK0NrsXWDQtdKTIluhKo
B22kl1wuneJWzmnNnhD2VvFJxAH8Y3iOHJhsY35WldIgr9c7OQMiUIKrGteUGdio
IjEHtuF/j3yykaccejiNMXCuDr0il8pOm+Vpxfcb7JOTO9SszY07BTyElH17/FEX
wrd3WpQwxGbuD31HvsnHaV2xMyWzGYPVt94JM1WwdyEUiW1XNHkug3DNoPzhGbUZ
+tt52Af0mQExO/ufCWHDnYjLFVlRTWBl1Cpk/JipDz4eZszo1bCyyxvBbHyOb2Op
iEwvO1MLqtYTe5+SmxHRmmJ/d9Dt53uQ1Sosh2eBoJAsFEXiXydH2GByOWJvLlNJ
ciyRQsafkxI8S8nnVf0HqzxD8ePK80qLSCjaEf+0WOrYxmBxwg==
=vEDK
-----END PGP PUBLIC KEY BLOCK-----

If you are not familiar with PGP, you can use GPG to protect your communications.