Security is at the heart of what we do. As an EMVCo Business and Technical Associate and PCI SSC Participating Organization security is embedded in our DNA, exceeding industry standards so you can rest assured your business is in safe hands.
PCI DSS Level 1 Compliance
Creditcall is a validated PCI DSS Level 1 Service Provider. This is the industry’s highest level of certification. Reviewed annually, an intensive onsite audit ensures the highest compliance levels are maintained and adhered to. As such, we are on Visa’s Global Registry of Service Providers and MasterCard’s Compliant Service Provider List.
Creditcall believes that cardholder data is best encrypted at the earliest possible point in the transaction which is when the card is read by a card reader or PIN pad with cryptographic keys that the Merchant has no knowledge of. This data can only then be decrypted within a HSM at Creditcall. We were a pioneer of point to point encryption technology in 2005. Our payment gateway solution ChipDNA was validated by the PCI SSC in December 2015. ChipDNA alleviates many of the costs and challenges associated with securing payments and adhering to PCI DSS.
Creditcall is audited and assessed to comply with the Payment Card Industry (PCI) PIN Security Requirements Version 2.0. The PCI PIN standard is a set of requirements for the secure management, processing, and transmission of personal identification numbers (PINs) during online and offline payment card transaction processing at attended and unattended devices, such as ATMs, Kiosks and point of sale (POS) terminals.
Creditcall is audited and assessed to comply with the American National Standards Institute (ANSI) TR-39 (TG-3) standard to validate proper PIN security and key management practices. Organizations dealing with PIN debit transactions within automated teller machine (ATM) or point of sale (POS) environments or maintaining a processing network that connects directly to an online debit network for transaction processing need to comply with the ANSI-based TR-39 standard.
Security and reliability
Prohibited data storage
To comply with the strictest security measures, Creditcall does not store raw magnetic-stripe (Track 2), card validation codes or PIN block data. Storage of this data is strictly prohibited by PCI DSS.
Cardholder data is secured by using a combination of symmetric and asymmetric cryptographic algorithms that utilise larger than required key lengths. The cryptographic process is further secured by the use of dedicated Hardware Security Modules (HSM). This ensures that no data can be decrypted without access to the appropriate HSM. The servers that store cardholder data cannot be accessed from the internet and cannot connect to the internet either.
Our data centres are strategically located to serve our core geographic regions. This ensures the minimum amount of latency. Wherever we can, we peer as close as possible to strategic Internet Exchanges such as LINX, NYIIX and AMS-IX to further reduce latency and the number of hops to our processing network.
Our core infrastructure has been engineered with high levels of redundancy and resilience built in. Creditcall’s critical infrastructure has dual PSUs fed from two diverse UPS platforms. All data is stored on RAID based SAN systems. This data is in turn is replicated to our nearest geographical datacentre for further resilience. All servers are connected to our internal networks via at least two network interfaces and our internal networking is provided by dual independent network switches.
We have four geographically diverse data centres, two in North America and another two in Europe. This allows continuous service and unrivalled survivability in the event of a localized or international event. Our infrastructure is carefully designed to avoid single points of failure. All of our service providers are also diverse both in location and paths. We only use service providers that maintain at least two physical fiber entry points into our data centres, and equally, diverse and multiple paths into their own core networks.
We have maintained 99.996% uptime consistently over the last five years and availability is monitored by an independent third party. Our internet facing systems are probed from points all over the world every five minutes to assess availability. Creditcall’s entire infrastructure is monitored by a series of internal monitoring platforms that alert our engineers around the clock, 365 days a year, of predictive failures, warnings and hard errors. Our overall aim is to detect and resolve issues before they can impact our transaction processing ability.
We perform rigorous automated vulnerability scans several times a week on both our internet facing and internal infrastructure to assess our attack surface area. A team of on staff experts and independent third parties are also commissioned by Creditcall every six months, to perform intensive manual and automated penetration testing.
The Creditcall network has been built to observe the most stringent standards of security and best practice, with minimal access to outside networks and the Internet. Internally we use a series of highly segmented networks so only specific servers can communicate with each other. Access between network segments is highly restricted by robust firewall rules which define legitimate business need. To further enhance security all inbound and outbound traffic from our platforms is monitored by an active Intrusion Prevention System (IPS) which blocks the threat of common exploits and zero day attacks.
All internet facing and internal infrastructure is aggressively patched in a tight time scale after patches for security vulnerabilities are made available by vendors.
Distributed denial of service (DDOS) mitigation
We employ the services of a third party DDoS mitigator which is able to scrub malicious Internet traffic when needed.
Creditcall first introduced the concept of tokenisation in 2004 so that our partners could reuse existing cardholder data from previous transactions without the need to store or secure it for themselves. Every payment transaction that is processed on the Creditcall Payment Gateway results in a secure “token” which is an alias for the original cardholder data, which is securely stored and encrypted by Creditcall. This “token” can be used for subsequent authorisations or other operations such as full or partial refunds and voids.