Security at ProcessOut

Data security is extremely important to us. Our team is very security-oriented, and has a great track record at discovering and reporting vulnerabilities.

PCI DSS v3.2 Compliance

ProcessOut is certified for PCI DSS Level 1 Service Provider, which is the highest possible level of PCI compliance. To be certified, ProcessOut is audited yearly in its offices by an independent entity.

All cardholder data we store is managed by a dedicated, completely separate infrastructure. We do not share credentials or encryption keys between environments. Our applications never manipulate credit card numbers directly, they can only ask to export data to external providers on a whitelist. We regularly review the payment providers on this whitelist to monitor their PCI compliance status and their security history.

We frequently undergo internal and independent penetration testing. For PCI DSS compliance, we also run internal and external network scans at least on a quarterly basis. This does not affect our reliability and is completely transparent to our customers.

Data Encryption

All customer data transmitted to ProcessOut is protected with TLS v1.2 with strong ciphers (more details here). We symmetrically encrypt data using AES-256 (GCM only) and Salsa20. We use RSA-OAEP (2048 and 4096-byte long keys) and elliptic curve cryptography (keys based on curves P-256, P-384, Curve25519) for asymmetric cryptography. For one-time authentication, we use the HMAC (HMAC_SHA-256/HMAC_SHA-512-256) and Poly1305 algorithms. ProcessOut only uses proven, robust implementations of these cryptographic algorithms such as BoringSSL and NaCl.

Encryption keys are protected using key-encrypting keys, which are in turn managed by hardware modules, with strong access control and auditing procedures. A data thief would not be able to use information from a database without having the key. We never store encryption keys on-disk, and machines that process the decrypted cardholder data cannot be reached via the Internet.

Please feel free to email us at security@processout.com for more details, we love talking security!

Security in Our Culture

ProcessOut nurtures a strong engineering culture, oriented towards security. We share this with non-technical employees as much as possible. ProcessOut has contributed code to some major security-related projects of the open-source ecosystem.

Through our operations we occasionally identify security vulnerabilities in other products. Our policy is to always coordinate disclosure these vulnerabilities to the concerned vendors. As a result, our engineers have collaborated with companies such as Apple, Microsoft, Stripe, Checkout.com or Etsy to research and mitigate security issues, some directly related to payments.

Security Researcher Acknowledgments

We sincerely appreciate the efforts of security researchers in making ProcessOut safer by finding and reporting security vulnerabilities. Each name listed represents an individual or a company who has privately disclosed one or more security vulnerabilities and worked with us to remediate the issue.

PGP Key

Please email us at security@processout.com to report security issues. We take security-related reports very seriously. We will get back to you under 24 hours. We ask that you do not disclose vulnerabilities publicly until we have addressed them.

Use the following PGP key for critical exchanges with our security team:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGBl9QQBEACkqNRrFSDmBgrp4FOw4FG1Cnj1lKxJ5HVIFCBEVsqJrtyMKGJd
dTv4Njzhcu64dRyTffoujZdAmsCfixE0JOE2t2V1bfRVQ0L4YG/0ZQUKxWBZNduJ
tHeytHX9LsJTqJoveHb7euXNsCe5w+YRfVfTPeK5IR/9W/OxOhhvVsaVeDhYpC0J
fW1CrJZNfBR1/XNK9gMKDxjhRcesl/RUfzFrSajyDF/K08tjcOUh2q7xgjYnQumQ
//cRXccCRiQRTMFe6F8IwoNo0xcAD/0ruMylIwrxf7OKAAHY5ZSODUku7EA76sap
m6oJt2uXWIaBNKEz55W9w9vMkcl41buxgiA6uhupzQ4pXehtWfIrnaf+TT89QEvh
VfnqpLpDorlBIiI9jHyipfTEtbs0GeR7UktqWx16Cetcss1oKoymNRYNr7jaIYpE
XnlLLb8Cb0qsHVcsHfYSR1Gz6q28KcXhMLKE67zUrbbSLq7YRFmUxEBa8BvUplsU
hKvmf9sg2eacEmwOES04PZsU1O0F7aV7+L+0WOtcWtEI4b/8E9RO8eR44sANWgfW
ItibybT6VTehv/WU2KnER96VnUXrN8pr/Sn7u5laBjzVqlwhMU+uuSsUlTKr+zTr
HU75JrYCelcoK2g4kxfPTBYpFuWhvI+wqcX2uhuo2NmV2tfppfMbfxtedQARAQAB
tC1Qcm9jZXNzT3V0IFNlY3VyaXR5IDxzZWN1cml0eUBwcm9jZXNzb3V0LmNvbT6J
AlQEEwEIAD4WIQT8VavNr+5qYa6B19WXqEGrVni3NgUCYGX1BAIbAwUJB4TOAAUL
CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCXqEGrVni3Nkj5D/sGQEiLxbbV2MYu
5yWxGpAX3s3BbVeTGDZeyX/0vPg57L2cNWJHhu7BTu4CKY51EF/Dqn5PdiKaXlG3
rr+qj8W4ysy0zG+5LzQP/GIEZLGeXsvrDMGniy4D4bXZq9UUz5+h37PQQtY8XHK4
FPXqdvlU/1r06Pt47aDft2ymczIGLJ7++d9gFw7dvN7lsgWA4whE2huvwOaKZwVw
9kuUhbPEpX+a4tcXsmCtuYYeL7gtZmwKY3hGd71VXnh6RfMYZISmeT3qjnLxWqOn
E8E9Cb9Ovjafl4UAmHie3ciltUfVCT3j2JYsTWUvCXYKIWFQH6G/NOz22TLk7pwL
IFuC2bhvG/TWpoSZoEzxFKDbfnV62gf875P/wZSQxojrWtNtJyRwx4nJzuUE8OlV
r4zwu3rEA1IGICSjONAzk3iVSNH6MTIRdU5j2vzQt3PIrcezgveFobGlz5q3vUcL
/aDhQ5cMxrCblCtSNis7nEdE4QspqDei4tV+lzUr7AId4xjEQyj8t5v0VAtCINyJ
zs55cPfBdEIW/SDEYcIY+DJKvJcM5LRsdAOY3n7/ZkriDkVk5wMmgzg+bjIyztKN
+YCS+3kh1egunxyZMnoUN5mfItFABpPkTSBqT0EuojogwnjpD7RyVqKo89SsfHZm
JdmToM/y3FypcxILHTcaGvSwhccB8bkCDQRgZfUEARAAoYyMFwZf4Um1CRWOBDII
hnKKQEVBBpgq6/sb5S39XR4GSOPbXoQsdPZAp47TJv0ArL2y+2Jb920kY9IqWGpu
e+BlY6g2+McNLV61zB1Cis7v3GEqdtBrc3y4N8VTlYfjlVrvx/3agRFTbeYSNhY3
wFWGqhZ1hgD5xNlskej/Gdds9E3PwF4xNKLsn3j8W/dDd0IMtqUQ+CPgLx5fSRuI
QKlycfvw4ZutXjIwfiNqehzhEImiTMTcf2LUWVQgKKdEgD+16vAcQH7udCtu1l3O
v3+Y34GTl6pt9Byk4BLXSia4iDe3S5Zb0gklxBaDdme9iyrysJOeRhYTiUCcIx8h
9+Pss5H9tOVrD7YJGtMx+4+8FPcFhlnmq8v8NlR0TzueMfTWdGqomva1+IfkY9VL
nWw4Ufsu/33UHME4WEP9iPnO1FAeXnir234o/l1TsU+iHS8gb8Q1aAldIx5LZ8JM
qIY2Dx6jOn0EKL5U2Hp8f6/vyC6SFSbIAb5M/Mpw10L6MmnPhbudXBjMEtUknkKL
nAztKlx09af0lLMBxH/pqIx7VL94V5Qno+mgbcQAUbU1pDDFwVFVWBNQZeCZwdqz
oB2yzFoMKsnQnuCRZoRw12D9eHgFLL+pK+8SnFUNxwNwB+Q7hVVmDSuKf3lGVhUE
MEecpASUxWSaA14EIGttPv8AEQEAAYkCPAQYAQgAJhYhBPxVq82v7mphroHX1Zeo
QatWeLc2BQJgZfUEAhsMBQkHhM4AAAoJEJeoQatWeLc23hUP/2jIPJbIJgMVU5tq
TgsZCSZCX6tmu9mUTCEx4nPGljB+YtL+koKzxrbhXGLa5rQdXWR7SkST4loN142A
CtbP6o4c6vOOqAQrOIsfk0Xjf1JfkvISokedVRj/JNnvR9eZ9tgo21pUlsLpPBpP
Ek/c9fxAlLwHOO9Qc5WPIBt8dQXN7cJPfJDCDUPQ5Z2DirRz4C7o4pKOAEde3k+k
5nxMcEmcbm8sBzWOe3BH/CqqwunK0kKIdP+QKflvbzejLqWWZzwzpvcCsq3gu73+
uZ2X2ywtokKPLuIC6cGc3OOL0qBu+3yfAvNJmfSanYvnLpwNtOvuu3hrxgnkqQim
j90j9NEhWuuLJj31KxnqwejxFhneH/LYN0L4Jq+G+3+IQ64TPZfB8AHFa3C7Jahg
YsNAsGM4U5EFZgjPjGfk5hWxdnbJHsWKeKO0ThuZ2JXYKLeRhiv3p6sj998Ww9yF
5yWDF8Vh57nbGvnDdksPtvtqCV5FCTKBw/yyEfmu3Q1hzX2GhcbzH8vt3kiCS11v
fd5Mxdt7mIL7bieKwwFJ9WcZHPBt+1DlGlPlcOQuuzNsb2OUafrJwdGZOMowtT2n
tidyLQksHiCSA96DkrTzr4saWfTuWMmoIiB9+O6TWMasiHBC1XUNjq03+lrVFBtQ
rK/IWC3Xp4pb3o91T+CcpAtvJVUD
=cEPx
-----END PGP PUBLIC KEY BLOCK-----

If you are not familiar with PGP, you can use GPG to protect your communications.