Security at ProcessOut

Data security is extremely important to us. Our team is very security-oriented, and has a great track record at discovering and reporting vulnerabilities.

PCI DSS v3.2 Compliance

ProcessOut is certified for PCI DSS Level 1 Service Provider, which is the highest possible level of PCI compliance. To be certified, ProcessOut is audited yearly in its offices by an independent entity.

All cardholder data we store is managed by a dedicated, completely separated infrastructure. We do not share credentials or encryption keys between environments. Our applications never manipulate credit card numbers directly, they can only ask to export data to external providers on a whitelist. We regularly review the payment providers on this whitelist, to monitor their PCI compliance status and their security history.

We frequently undergo internal and independent penetration testing. For PCI DSS compliance, we also run internal and external network scans at least on a quarterly basis. This does not affect our reliability and is completely transparent to our customers.

Data encryption

All communication made with ProcessOut is protected using TLS (TLS v1.2 enforced for all cardholder data). We symmetrically encrypt data with AES-256 (CBC/GCM), and asymmetrically encrypt data with RSA-2048 and RSA-4096.

Encryption keys are protected using key-encrypting keys, which are in turn protected with split knowledge and dual control. A data thief would not be able to use information from a database without having the key. We never store encryption keys on disk, and machines that process the decrypted cardholder data cannot be reached via the Internet.

PGP Key

Please email us at security@processout.com to report security issues. We take security-related reports very seriously. We will get back to you under 24 hours. We ask that you do not disclose vulnerabilities publicly until we have addressed them.

Use the following PGP key for critical exchanges with our security team:

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFhG694BEADLogY1ay3XpeMKwDrtB22C+hrKf/xr+R6VqCeuEP9roCoZ4VM8
jyhM5tI0s1Fl2YGCsJqniOlpjPIX3GX1qtH9YFs2jYbuOk+I1bNTRXk9vytrsnh9
5FiHHNk7qnSJIU24adQuZOgGeeAUC7ENe+aW8g7J8FrSkNBzt7FHqcGOIMuvfER3
TCe8BOnStdi0J0lLmONlx66pDqvatXxVyPNTRMRZRefnRUk/ajw+zZf0cUdxs4Ta
SUtOv8TZ6OsgllCMGf03lZyMngrlEQObFpiv70xXs8lGDPpwVF2ey4kcIHXeEzwH
R3My2QGEGk1ayavVRxkBl5xDPn/Bp9hYV68D+jazm9kUXUGIG8/LsSgZ8mZXOx3A
y775+FIZ84UAe/oTwzEma6RX7h7Jcy6yxzgy6N0ipzsg+bgJWqtp6phxuZGRDpy9
HACZRjn5pPjAJp0U9fX7LVfpoFm1CJLZhZ0c13N0tYiX62PFCbC2mhY4sEZIbkmn
N/diFJdAbPqA5zWg+3ChPiq8+JAFbJg/Z36JvOu23L28fNuh0Ywaddi1QfGGPlnk
mbNnhVvOVJnop01GqEKkOaqzA02ha1X0ohPhd9IRk0F3bYWuUL+I2UipbF3NVkVB
1ppwYymAdlz5f2Wh9OZN6wu2BN6tpCdSLOmd38FOOQd7zdRFMW+ZBn8hgwARAQAB
tC1Qcm9jZXNzT3V0IFNlY3VyaXR5IDxzZWN1cml0eUBwcm9jZXNzb3V0LmNvbT6J
Aj0EEwEKACcFAlhG694CGwMFCQlnUwAFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AA
CgkQiM1s1v7IYcvBAg/8CEdehCNJxZ1VweHWBD4DjffWnkKX3jmC+YVLkHJAHrCr
YSsVI37cXJSyamkBIABQhbB6DGAnsSA6awAAWgU87s3SJzupbYhCU3DLL9Fk3Z+A
IPJ3fHYsExz++rfmjs5mcmAWfnz3e5LIAhQfszKSwFkojDeGpNnC0uJAuIrE/y2y
QkAIVK75Q9AEPeMadTQiQ03GoXLxzFLFJTlI6dDtrjYRwbK39iyW7B/GibMIGulE
NaGKOT8SkLWyWmcjlhQ2k4I/o4KNUZsoaNFbQM1uiA/Js449uWvOhKiui9wzsxRI
K7N+pIE2VojFV8YgFMT338fvkiD0lBm33xkx4jhkW1GvV1TLxXQ5kme2DvJe6A4C
fTY2Ktc4a72l4q6GRSyL5qP8wlhmt/JjHRYdcMQZvwHFI6qCCMSWwWlkR/7fPYdJ
NFSFCgCH9GkT4KOGrrAS8bOK0NNXh7/9QfROzwWq4LeumuZ6rcL6lyqTfx6lp1wm
/gqTkjlfuxKIqJHEosapcQxlSd3z/zIw7wT1UwbH5ZsRLJIYJtJMv9Upi5MeNbAg
Xy1IBtgT6aLYVzh9ewTUpIwFlyMf3i8eQNdXHe4aKZyoCzOfVSopBShl5Wdydhma
hwT3/A04YVP7g4nWFHnSXUgdVW4B4KDzGyxwZqKLxc62sDurfgc3B2dFMMCNSk65
Ag0EWEbr3gEQAN3kPYG8LOWjtYSHCobxqB8CeNNu3NY+pS5dSuMpQBqeFRXrcgHu
7Wi4FNRRw2StJZGJ+1yZqHN/Y6p8nY25fl0taYUAiCP+faYYBbaqefXBnLLV20YG
EW+gWiE0v+QAtNGd+GcFYLNYCRVWK8s+kWz2N7dGWJbYy2Otuo/mwkp20Ez+H2/n
7tGZD8oBcuyWRsYaqNbynKwwbzmqIfoaTOyrzFn1Wc223Xe2MpcTeSLXXWZ9kJTh
jUGwj4J5L8N2Bdqh7SULnecfKdF04ZtpRoYTkz1fqUu6zzwpdOrB9vs8DH/b78nd
SnM29KfvbJA2yJaXfG35r4QO0uCrpixmk130nG3GxM0/n8GOyyOwz9ptrhkreU+u
zHlbl+Po2dmdbabiGDhYMqF9jlP0YKf0bkHqvEUavpE2HDbMBDfWue2XUudAcnQ1
Irq8KCjB+G+dzH8rue5G1cnWq6v78Jdb2tyX70xUMtBTR24cxoqz0+wm8ag0lf9B
xThG/q2CDTuvtl5oQUdd86QBRCytynB67D3vPtLdBGYQ301BUa3s4Fel7lXip/eu
v8QmlCyxZNsn+K2sD4n2WOvVctC317QUaHYhlGuQ1oMTRlGsBW3I2/XdBJw7QUeR
7VIyDWlNHGO6MZe2hNEcAXaeuiq6eAhtr1sHgdg0HnZg7oyGKEiV8IP5ABEBAAGJ
AiUEGAEKAA8FAlhG694CGwwFCQlnUwAACgkQiM1s1v7IYctDJBAAhNeQQzMZbvra
JrO74LeoPbtKLZYOr2jTIsd+PM4qoicpmMme42tcWd9AwX3UDO1Ce/d9SDHq8eaC
mA9rMa5/VVAj/ScEGkJL5gRWm7Um1h8EurNAbNNngPM0XAxAjP3dEmfDQv9qR950
ZNs0qBoO+D7tgIGYMU96VO58cX5BOaoxWsjxJwfxwT0y00EAHD11odeFBeutxgvm
r9NuBFnXcegxv3hWd+MGkaiXTXLh31Yx4SingpANR8FxFSMneh823yhqvoBFDVTZ
SnW+9ZOiHrsKOFUmKSWxu3n+o0YJxUcdq00dbsrF5o4Xgh9IuN0rGACpoe+xSR59
mIk3bYMufvU+uhyZ29gUOVVIEfWmjeVOuCiWMQUC/vcKSsQCCy/AwfpdctopLRiB
K/3n8D2lIseLYj3MDfmf0SgMMr6Gf4uY2YlPbtU+UBesDt7ziSkRq2QXBa2vAJhE
gp0r5TinvBtPuOxj7By/RBUetM00kh55x0P7uECPFE3CZfS4+R6OLj7zi9BDRU7P
zSNbLnSzQpZfOrLGA2qhuCRzqLMaSty6gfxeB5CkR8pLceEgcfjEDpu2vgbxqsay
GJ78YXO+maNuAvbyrFDcVjaZajX00DwsiuDVAr30M3xb6H33iIKNZKHT4Ytau+zX
phvObLJSM8baa9xvcAiikaa9dsN2vrw=
=E++f
-----END PGP PUBLIC KEY BLOCK-----

If you are not familiar with PGP, you can use GPG to protect your communications.