Payment Application Data Security Standard (PA-DSS) Compliant
Compliant with the Payment Card Industry Payment Application Data Security Standard (PA-DSS). Payments Entities’ hosted environment and sensitive data is protected by shared hosting.
Transport Layer Security
Uses Transport Layer Security (TLS) v1.1 and v1.2 protocol which provides a secure and reliable connection between the Web Server and the client’s PC. TLS allows encryption of data through symmetric cryptography, with unique keys generated for each connection.
Secure Sockets Layer
The Web Server uses Secure Sockets Layer (SSL) – a public/private key based 128-bit encryption system that enables us to secure all packets of information transferred between the Web Server’s secured directories and the client's PC over the Internet.
Strict session management mechanism in place to avoid insecure access and hence protect all resources from unauthenticated and unauthorized users.
Blocking an Account for Invalid Login Attempts
Prevents unauthorized access to web interface, after defined invalid login attempts. This way any brute force attack to login into the website will fail as the account will be blocked only after defined invalid attempts; thereby greatly reducing the probability of attacker getting into the system.
If the customers leave their session open and leave the computer, the web server will automatically close the session after some duration of inactivity. The back button on the browser will not work after the session has closed. The system administrator can modify the length of the session timeout.
Whenever Communication of data or PIN block of transactions is done within or beyond the platform, it is encrypted so as to ensure that it cannot be intercepted and comprehended by unauthorized users.
For Payment Transactions, response details (Customer ID, PAN, payer ID) in logs are encrypted.
Connection strings are encrypted and decrypted by HSM. Web Service URL, User ID and Passwords are also encrypted.
To avoid fake activities and misuse of user’s data, the platform keeps user secure information (user emails, secret answers, etc.) in an encrypted database. Database connection strings and URL of web services are also kept encrypted in configuration files. Checksums are also used to ensure data integrity of sensitive data and protect it from updating from outside the platform.
TCP Port Firewall Requirement
Requirement for clients to permit TCP port number 443 (https port) only for our platform operations. The Firewall will allow this port for the operation of platform, and any other configuration or setting of any security related hardware or software will be the client’s responsibility.
Firewall and Proxies
Uses firewall to deny unauthorized remote access to the private network via internet by placing filters between private network and internet. Proxies to limit access of internal clients to external internet servers are also set up.
Secured Session Module
A secured session module is used which generates and verifies session IDs during a user login session so as to avoid man-in-the-middle attacks and session hijacking techniques.
Sensitive data is always masked whenever it is displayed on web interface.
Asks user for E-token which is a PIN different from user login password or secret keyword. Only software based E-tokens are supported. Proprietary algorithm is used to generate E-tokens.
Captcha can be used in order to prevent automated attacks the internet banking portal. Our platform supports addition of captcha on login and registration pages in order to prevent automated registration or login attacks.
User passwords are hashed using MD5, SHA1 and SHA256 algorithm. HMAC algorithm is also supported in password generation.
Complete activity log of each and every activity performed through Front End or BackOffice application is maintained in a secured database. This way all the activities of each and every user can be tracked. However, it does not store any confidential information of the customer such as the E-token, secret answer, password, etc.
Secret Question Answer
A front end application user is required to set a secret question and answer. This secret question/answer combination is used for different security related operations such as Forgot Password.