Updated March 30, 2020
PaymentEvolution maintains a high availability infrastructure for client services, operations and data analytics.
Our services, operations and processes are architected with security in mind first. We are committed to leading the industry in maintaining the safety, security and privacy of the services we provide our clientele regardless of certification level. It is this passion that ensures the day-to-day adherence to industry protocols.
In addition to our own internal operations, our data centre maintains ISO 27001:2013 certification.
Our data centre facilities provide several security capabilities and services to increase privacy and control network access. PaymentEvolution uses:
- Built-in firewalls that allow control over network access
- Encryption in transit (and rest) with TLS across all services
- DDoS mitigation technologies
- Anti-malware monitoring and threat detection
PaymentEvolution’s data centers are located in Canada and we maintain strict residency of data within Canada. PaymentEvolution leverages all the capabilities of our providers including physical security and environmental controls to secure our infrastructure from physical threat or impact. Each site is staffed 24/7/365 with on-site physical security to protect against unauthorized entry. Security controls provided by our data centre facilities includes but is not limited to:
- 24/7 Physical security guard services
- Physical entry restrictions to the property and the facility
- Data center utility areas are accessible only by programmed RFID key fobs and bio-metric access. Main access doors also use bio-metric security. Any glass areas use bullet-proof glass.
- Video surveillance systems track movement through the data center facilities and is centrally monitored by an independent security firm
- Facilities are unmarked as to not draw attention from the outside
- Power infrastructure is conditioned and backed by multiple levels of redundancy - UPS systems and standby generators with minimum of 72 hours of diesel generation capacity.
Access to the management network infrastructure is provided through multi-factor authentication points which restrict network-level access to infrastructure based on job function utilizing the principle of least privilege. All access to the ingress points are closely monitored and are subject to stringent change control mechanisms.
Systems are protected through key-based authentication and access is limited by Role-Based Access Control (RBAC). RBAC ensures that only the users who require access to a system are able to login. We consider any system which houses customer data that we collect, or systems which house the data customers store with us to be of the highest sensitivity. As such, access to these systems is extremely limited and closely monitored.
Additionally, decommissioned storage and infrastructure are securely erased using NIST SP 800-88 standards (or higher standards as ratified) where applicable.
PaymentEvolution performs continuous monitoring of our production environments. Our logging includes system actions as well as access and commands issued by our system administrators, support personal and clients.
Logs are reviewed in real-time to identify potentially malicious activity within our infrastructure. User and system behaviors are monitored for suspicious activity, and investigations are performed following our incident reporting and response procedures.
All database transactions are logged using a user identification number, IP address, timestamp, and information about the action performed.
PaymentEvolution employees must pass police and other background checks. All employee access is logged and secured using 2048-bit SSH-2 RSA keys and are regarded as an industry standard. PaymentEvolution implements internal processes for issuing and recalling keys from authorized employees.
Data Transmission and Storage
All data is encrypted in transit with TLS, using a 2048-bit key, signed using the SHA256 RSA industry standard algorithm. PaymentEvolution regularly assesses this encryption standard and implements improvements as new standards are ratified. Data at rest (residing in our data centers) is encrypted using the industry standard AES-256 algorithm.
Snapshot and Backup Security
PaymentEvolution retrieves, encrypts, and stores continuous backups of our production data storage systems. These backups reside within our data centers for security and compliance purposes. Data backups maintain residency in Canada.
PaymentEvolution retrieves, encrypts, and stores data in Canadian-domiciled data centers. Certain services share data with secure data centers outside of Canada as outlined below:
- Help desk - uses Amazon Web Services global distribution and data centers. Support requests and any content you share with our help desk may be stored in data centers outside of Canada.
- Social Media - data you share may be stored and analyzed with data centers outside of Canada
- Chat - Uses Microsoft Azure Cognitive Services and may be stored in data centers outside of Canada
Attestations and Certifications
Our data centers meet and exceed the strictest of certification and compliance laws. These include:
- SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)
- PCI DSS Level 1
- ISO 27001:2013
A SOC 3 statement from our auditors is available on request.
PaymentEvolution developers build systems run a battery of tests against all change requests spanning multiple environments to ensure consistency and backwards compatibility.
Release management and deployment is driven through an Azure architecture domiciled in Canada, ensuring the ability to back out of changes at any point. Token based authentication provides PaymentEvolution administrators total control over access and access expiry.
Service Level Agreements
PaymentEvolution has service level agreements in-place with our infrastructure and monitoring vendors. PaymentEvolution maintains better than 99.9% up time of core infrastructure and client facing services. Real-time up time and historical reports are maintained by third-parties and posted publicly at http://status.paymentevolution.com
PaymentEvolution uses Stripe and First Data as our credit card storage and processing vendors. Both have been audited by a PCI-certified auditor and are certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.
PaymentEvolution payments are processed with leading Canadian banks and Credit Unions - all of who meet our highest standards for security, audit and reporting.