Views:

Infrastructure Security

PaymentEvolution maintains a high availability infrastructure for client services, operations and data analytics.  

Our services, operations and processes are architected with security in mind first. We are committed to leading the industry in maintaining the safety, security and privacy of the services we provide our clientele regardless of certification level. It is this passion that ensures the day-to-day adherence to industry protocols.

In addition to our own internal operations, our data centre maintains ISO 27001:2013 certification.

Network Security

Our data centre facilities provide several security capabilities and services to increase privacy and control network access. PaymentEvolution uses: 

  • Built-in firewalls that allow control over network access
  • Encryption in transit (and rest) with TLS across all services
  • DDoS mitigation technologies
  • Anti-malware monitoring and threat detection

Physical Security

PaymentEvolution’s data centers are located in Canada and we maintain strict residency of data within Canada. PaymentEvolution leverages all the capabilities of our providers including physical security and environmental controls to secure our infrastructure from physical threat or impact. Each site is staffed 24/7/365 with on-site physical security to protect against unauthorized entry. Security controls provided by our datacenter facilities includes but is not limited to: 

  • 24/7 Physical security guard services
  • Physical entry restrictions to the property and the facility
  • Data center utility areas are accessible only by programmed RFID key fobs and biometric access. Main access doors also use biometric security. Any glass areas use bullet-proof glass.
  • Video surveillance systems track movement through the data center facilities and is centrally monitored by an independent security firm
  • Facilities are unmarked as to not draw attention from the outside
  • Power infrastructure is conditioned and backed by multiple levels of redundancy - UPS systems and standby generators with minimum of 72 hours of diesel generation capacity.


Access to the management network infrastructure is provided through multi-factor authentication points which restrict network-level access to infrastructure based on job function utilizing the principle of least privilege. All access to the ingress points are closely monitored and are subject to stringent change control mechanisms. 

Systems are protected through key-based authentication and access is limited by Role-Based Access Control (RBAC). RBAC ensures that only the users who require access to a system are able to login. We consider any system which houses customer data that we collect, or systems which house the data customers store with us to be of the highest sensitivity. As such, access to these systems is extremely limited and closely monitored. 

Additionally, decommissioned storage and infrastructure are securely erased using NIST SP 800-88 standards (or higher standards as ratified) where applicable. 

Access Monitoring

PaymentEvolution performs continuous monitoring of our production environments. Our logging includes system actions as well as access and commands issued by our system administrators, support personal and clients. 

Logs are reviewed in real-time to identify potentially malicious activity within our infrastructure. User and system behaviors are monitored for suspicious activity, and investigations are performed following our incident reporting and response procedures. 

Audit Logging

All database transactions are logged using a user identification number, IP address, timestamp, and information about the action performed. 

Employee Access

PaymentEvolution employees must pass police and other background checks. All employee access is logged and secured using 2048-bit SSH-2 RSA keys and are regarded as an industry standard. PaymentEvolution implements internal processes for issuing and recalling keys from authorized employees. 

Data Transmission and Storage

All data is encrypted in transit with TLS, using a 2048-bit key, signed using the SHA256 RSA industry standard algorithm. PaymentEvolution regularly assesses this encryption standard and implements improvements as new standards are ratified. Data at rest (residing in our data centers) is encrypted using the industry standard AES-256 algorithm. 

Snapshot and Backup Security

PaymentEvolution retrieves, encrypts, and stores continuous backups of our production data storage systems. These backups reside within our data centers for security and compliance purposes. Data backups maintain residency in Canada.

Attestations and Certifications

Our data centers meet and exceed the strictest of certification and compliance laws. These include: 

  • SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)
  • SOC2
  • SOC3
  • PCI DSS Level 1
  • ISO 27001:2013 

Application Development

PaymentEvolution developers build systems run a battery of tests against all change requests spanning multiple environments to ensure consistency and backwards compatibility. 

Release management and deployment is driven through an AWS Pipeline architecture, ensuring the ability to back out of changes at any point. Token based authentication provides PaymentEvolution administrators total control over access and access expiry. 

Service Level Agreements

PaymentEvolution has service level agreements in-place with our infrastructure and monitoring vendors. PaymentEvolution maintains better than 99.9% uptime of core infrastructure and client facing services. Realtime uptime and historical reports are maintained by third-parties and posted publicly at http://status.paymentevolution.com   

Financial Transactions

PaymentEvolution uses Stripe and First Data as our credit card storage and processing vendors. Both have been audited by a PCI-certified auditor and are certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry. 

PaymentEvolution payments are processed with leading Canadian banks and Credit Unions - all of who meet our highest standards for security, audit and reporting.

System and Organization Controls (SOC) 3

System and Organization Controls (SOC) for Service Organizations are internal control reports created by the American Institute of Certified Public Accountants (AICPA). They're intended to examine services provided by a service organization so that end users can assess and address the risk associated with an outsourced service. PaymentEvolution maintains SOC 2 audits and publishes SOC 3 summary reports.

PaymentEvolution commissions a full SOC 2 Type 2 examination of our services annually. The auditor's reports on these examinations (also known as audits) are issued as soon as they're ready after that audit. The SOC 3 report, which is based on the SOC 2 examination, is issued at the same time.

Because PaymentEvolution doesn't control the investigative scope of the examination nor the timeframe of the auditor's completion, there's no set timeframe when these reports are issued. The reports are usually issued a few months after the end of the period under examination. PaymentEvolution doesn't allow any gaps in the consecutive periods of examination from one examination to the next.

Clients may request a SOC 3 report by contacting us.