PCI COMPLIANCE

Payout has been audited by a PCI Qualified Security Assessor (QSA) and is certified as a PCI Level 1 Service Provider. We ensure that your customers' cardholder data is stored, processed and transmitted securely according to PCI Data Security Standards.

Our commitment to protect your customers' cardholder data goes beyond our compliance requirements. We take our responsibility seriously.

Secure Networks (PCI Req 1)

Payout operates secure networks with firewalls positioned strategically to protect sensitive systems from hackers, malware and unauthorized employees. None of our sensitive networks have wireless access points, and external access requires at least two-factors of authentication.

Secure Systems (PCI Req 2)

Our system configuration standards ensure our systems are hardened against attackers and are stripped of all unneeded services, protocols and extraneous kernel settings. Our systems are lean, mean, hacker fighting machines!

Secure Storage (PCI Req 3)

All cardholder data stored by Payout is encrypted with AES-256 before it ever touches a disk. We use strong, cryptographically secure keys which are rotated regularly. Accessing encryption keys triggers multiple alerts which notify key security personnel to investigate the event.

Internally, full PANs are never displayed to employees via administrative panels, and we've taken special care to ensure that none of the vetted personnel with access to full cardholder data can do so without the others' knowledge.

In addition, all passwords and API secrets are one-way hashed using Bcrypt with a factor of 10. API secrets are generated using cryptographically secure random number generators and represent over 128-bits of entropy. This prevents your customers' card data from being used without your permission.

Secure Transmission (PCI Req 4)

Payout forces HTTPS for all connections to our servers and uses TLS v1.2 whenever available. This ensures any data sent to our servers will be encrypted while it makes it's way to us.

Malware Protected (PCI Req 5)

Payout doesn't utilize systems commonly affected by malware -- no windows systems here! --, and we regularly monitor for evolving threats affecting our servers and workstations.

Secure Development (PCI Req 6)

Payout is committed to maintaining secure systems and applications. All software and configuration changes go through a rigorous multi-level review process, and all engineers are instructed in how to avoid common software vulnerabilities. This ensures that your data is secure not only today but tomorrow, as well.

Access Segmentation (PCI Req 7)

Payout operates a highly segmented network and application architecture which minimizes where card data is accessible. The majority of our backend systems are not capable of either accessing or decrypting cardholder data. This minimizes our attack surface area and ensures your customers' card data doesn't end up in the wrong hands. It also allows us to tightly restrict internal access to cardholder data and limit access to a need to know basis only.

Secure Administration (PCI Req 8)

All system administration is protected by at least two-factors of authentication and remote access is securely encrypted. Administrative access is limited to key personnel only, and all actions taken by administrators are tracked.

Data Centers (PCI Req 9)

Payout's infrastructure is hosted within Amazon Web Services which operates PCI Level 1 compliant data centers. This ensures that your data is not only electronically secure but also physically secure from attackers.

Continuous Security Auditing (PCI Req 10)

Payout collects detailed audit logs from internal software systems and performs continuous, automated scanning for signs of suspicious activity. All logs are copied to a third-party for secure storage to prevent an attacker from covering his tracks.

Vulnerability Management (PCI Req 11)

Every month, Payout undergoes external vulnerability scans by an Approved Scanning Vendor and performs performs an internal vulnerability scan to identify newly introduced vulnerabilities. In addition, both an internal and external penetration test are executed every year by a trusted third-party.

All sensitive networks are monitored by network intrusion detection systems, and system changes are identified by continuous file integrity monitoring.

Information Security Management (PCI Req 12)

Payout maintains an Information Security Policy, an Incident Response Plan and a formal security awareness program so employees are aware of evolving threats. Background checks are performed on new hires to screen for potential information security risks. Regular information security risk assessments are performed to ensure the ongoing protection of cardholder data, and key personnel are always on call to respond to security events.