AUDITED PCI DSS LEVEL 1 COMPLIANCE
Creditcall is a validated PCI DSS Level 1 Service Provider. This is the industry’s highest level of certification. Reviewed annually, an intensive onsite audit ensures the highest compliance levels are maintained and adhered to. As such, we are on Visa’s Global Compliant Provider List and MasterCard’s SDP List.
Prohibited Data Storage
To comply with the strictest security measures, Creditcall does not store raw magnetic stripe (Track 2), card validation codes or PIN block data. Storage of this data is strictly prohibited by PCI DSS.
Cardholder data is secured by using a combination of symmetric and asymmetric cryptographic algorithms that utilize larger than required key lengths. The cryptographic process is further secured by the use of dedicated Hardware Security Modules (HSM). This ensures that no data can be decrypted without access to the appropriate HSM. The servers that store cardholder data cannot be accessed from the internet and cannot connect to the internet either.
Our data centers are strategically located to serve our core geographic regions. This ensures the minimum amount of latency. Wherever we can, we peer as close as possible to strategic Internet Exchanges such as LINX and NYIIX to further reduce latency and the number of hops to our processing network.
Our core infrastructure has been engineered with high levels of redundancy and resilience built in. Creditcall’s critical infrastructure has dual PSUs fed from two diverse UPS platforms. All data is stored on RAID based SAN systems. This data is in turn is replicated to our nearest geographical datacenter for further resilience. All servers are connected to our internal networks via at least two network interfaces and our internal networking is provided by dual independent network switches.
We have four geographically diverse data centers, two in North America and another two in Europe. This allows continuous service and unrivalled survivability in the event of a localized or international event. Our infrastructure is carefully designed to avoid single points of failure. All of our service providers are also diverse both in location and paths. We only use service providers that maintain at least two physical fiber entry points into our data centers, and equally, diverse and multiple paths into their own core networks.
We have maintained 99.996% uptime consistently over the last five years and availability is monitored by an independent third party. Our internet facing systems are probed from points all over the world every five minutes to assess availability. Creditcall’s entire infrastructure is monitored by a series of internal monitoring platforms that alert our engineers around the clock, 365 days a year, of predictive failures, warnings and hard errors. Our overall aim is to detect and resolve issues before they can impact our transaction processing ability.
We perform rigorous automated vulnerability scans several times a week on both our internet facing and internal infrastructure to assess our attack surface area. A team of on staff experts and independent third parties are also commissioned by Creditcall every six months, to perform intensive manual and automated penetration testing.
The Creditcall network has been built to observe the most stringent standards of security and best practice, with minimal access to outside networks and the Internet. Internally we use a series of highly segmented networks so only specific servers can communicate with each other. Access between network segments is highly restricted by robust firewall rules which define legitimate business need. To further enhance security all inbound and outbound traffic from our platforms is monitored by an active Intrusion Prevention System (IPS) which blocks the threat of common exploits and zero day attacks.
All internet facing and internal infrastructure is aggressively patched in a tight time scale after patches for security vulnerabilities are made available by vendors.
Distributed Denial of Service (DDoS) Mitigation
We employ the services of a third party DDoS mitigator which is able to scrub malicious Internet traffic when needed.
Creditcall believes that cardholder data is best encrypted at the earliest possible point which is when the card is read by a card reader or PINpad. This data can only then be decrypted within a HSM at Creditcall. We were a pioneer of Point to Point Encryption methodologies in 2005.
Creditcall first introduced the concept of Tokenization in 2004 so that our partners could reuse existing cardholder data from previous transactions without the need to store or secure it for themselves. Every payment transaction that is processed on the Creditcall Payment Gateway results in a secure “token” which is an alias for the original cardholder data, which is securely stored and encrypted by Creditcall. This “token” can be used for subsequent authorizations or other operations such as full or partial refunds and voids.