Security

Physical and Network Security

Paychoice’s network and servers are housed in a secure facility monitored around the clock by dedicated security staff.

  • Card processing systems adhere to PCI Data Security Standard (PCI-DSS) Level 1.
  • Paychoice requires sensitive data to be encrypted using industry-standard methods when stored on disk or transmitted over public networks.
  • Paychoice uses standard, well-reviewed cryptographic protocols and message formats (such as SSL) when transferring data.
  • Paychoice requires that cryptographic keys are at least 128 bits long. Asymmetric keys must be at least 2048 bits long.
  • Paychoice’s website and API are accessible via 128-bit SSL certificates.
  • Paychoice regularly installs security updates and patches on its servers and equipment.
  • Security settings of applications and devices are tuned to ensure appropriate levels of protection.
  • Networks are strictly segregated according to security level. Modern, restrictive firewalls protect all connections between networks.

Web and Client Application Security

Paychoice software is developed using industry standard security best practices.

  • Paychoice prohibits the storage of card numbers, magnetic stripe data and security codes on client devices.
  • Applications developed in-house are subject to strict quality testing and security review.
  • Web development follows industry-standard secure coding guidelines, such as those recommended by OWASP.

Organizational Security

Paychoice mandates that employees act in accordance with security policies designed to keep merchant data safe.

  • Paychoice requires sensitive data to be encrypted using industry-standard methods when stored on disk or transmitted over public networks.
  • Paychoice controls access to sensitive data, application data and cryptographic keys.
  • Two-factor authentication and strong password controls are required for administrative access to systems.
  • Security systems and processes are tested on a regular basis by qualified internal and external teams.
  • Access to secure services and data is strictly logged, and audit logs are reviewed regularly.
  • Security policies and procedures are carefully documented and reviewed on a regular basis.
  • Detailed incident response plans have been prepared to ensure proper protection of data in an emergency.

Research and Disclosure

Paychoice recognizes the important contributions that our customers and the security research community can make. We encourage responsible reporting of problems with our service. We also recognize that legitimate and well-intentioned researchers are sometimes blamed for the problems they disclose.

In order to encourage responsible reporting practices, we promise not to bring legal action against researchers who point out a problem, provided they:

  • Share with us the full details of any problem found.
  • Research should primarily be done on https://sandbox.paychoice.com.au
  • If the problem cannot be demonstrated on https://sandbox.paychoice.com.au or https://secure.paychoice.com.au you will not be added to our list of Whitehat Security Researchers
  • Do not disclose the issue to others until we’ve had reasonable time to address it.
  • Do not intentionally harm the experience or usefulness of the service to others.
  • Do not spam us with form submissions which will degrade our customer service experience.
  • Never attempt to view, modify or damage data belonging to others.
  • Make a good faith effort to avoid data destruction, theft, privacy violations and interruption or degradation of our service.
  • Do not seek compensation or reward for the report.
  • If you believe you have discovered a problem, please contact us at security@paychoice.com.au.

If you believe you have discovered a security in any area of our security measures, we ask that you share the information with us first! When you report an issue to security@paychoice.com.au, you can expect the following:

  1. We’ll acknowledge your submission and provide ongoing updates as we investigate.
  2. We may ask for more information or details about the behavior you expect or how you produced your results.
  3. Once an issue has been addressed, we’ll notify you with the appropriate next steps.
  4. Qualifying disclosures will make you eligible for our thanks list of Whitehat Security Researchers

Thanks

We respect the time and talent that drives new discoveries in web security technology. The following researchers and companies have gone out of their way to work with us to find, fix, and disclose security flaws safely:

Quarter Name Link
4th 2013 Kamil Sevi (@kamilsevi) @kamilsevi
4th 2013 Shashank (@cyberboyIndia) pwnsecurity