Network Security
Pay-Ease views security as a mission critical process of our business. We regularly review our security practices and use references such as the SANS Institute and IETF Site Security guidelines to enhance our procedures. Pay-Ease security practices include providing for restoration of information systems by incorporating protection, detection and reaction capabilities. Pay-Ease security protects against the following practices:
- Physical Damage
- Human Error
- Equipment malfunction
- Attacks (internal and external)
- Misuse of data
- Loss of data
In part some defenses are incorporated into the Pay-Ease Disaster Recovery/Contingency Plan. Other defenses are business policies and system configuration settings. Pay-Ease uses a secure data transport to move data from the kiosk to the Pay-Ease data center. The Pay-Ease data center is designed as a data fortress using various technologies to secure the network, extensive ACLs on firewalls, NBAC, VPNs, IPsec and SSL. Pay-Ease encrypts all outbound data delivered to our subscribers and business partners.
Our back-end process is active and ready for implementation. We utilize SSH Tectia (secured shell) encryption technology and real time communication, providing transparent, strong encryption and authentication that can be easily integrated into heterogeneous network environments. This means that a secured database reside on Pay-Ease property with full-time communication with our main servers. This process provides up-to-the-minute communication for the bank, the end-user customer and our ACM.
Hardware Security
We utilize 3DES a data-encryption standard algorithm which encrypts input data three times (versus only one time) so it raises the level of fraud protection for PIN-based transactions initiated at ATMs.
Our cash vault is secured by a Kaba Mas locking system which is designed to combat insider theft through a combined locking system of hardware, systems software and smart software. The vault has a dual wall construction which provides extra protection. The casing is of solid steel welded construction with outer doors and steel shell souring the safe.
Card Security
Pay-Ease follows the PCI Data Security Standard as its framework. CISP provides the tools and measurements needed to protect against cardholder data exposure and compromise. The PCI Data Security Standard consists of twelve basic requirements and corresponding sub-requirements categorized as follows:
Build and Maintain a Secure Network
Requirement 1:
Install and maintain a firewall configuration to protect cardholder data
Requirement 2:
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3:
Protect stored cardholder data
Requirement 4:
Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program
Requirement 5:
Use and regularly update anti-virus software
Requirement 6:
Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7:
Restrict access to cardholder data by business need-to-know
Requirement 8:
Assign a unique ID to each person with computer access
Requirement 9:
Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10:
Track and monitor all access to network resources and cardholder data
Requirement 11:
Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12:
Maintain a policy that addresses information security
CISP compliance is required of all merchants and service providers that store, process, or transmit VISA® cardholder data. The program applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce. Compliance with CISP means compliance with the PCI Data Security Standard with the required program validation. The Payment Card Industry (PCI) Data Security Standard offers a single approach to safeguarding sensitive data for all card brands. Other card companies operating in the U.S. have also endorsed the PCI Data Security Standard within their respective programs.
Electronic Check security
Pay-Ease works with NACHA – the Electronic Payments Association
The National Automated Clearing House Association (NACHA) is the leading organization in developing electronic solutions to improve the payments system. NACHA represents more than 11,000 financial institutions through direct memberships and a network of regional payment associations, and 650 organizations through its industry councils. NACHA develops operating rules and business practices for the Automated Clearing House (ACH) Network and for electronic payments in the areas of internet commerce, electronic bill and invoice presentment and payment (EBPP, EIPP), e-checks, financial electronic data interchange (EDI), international payments, and electronic benefits transfer (EBT).
When a customer inserts a check into our ACM, it instantly requests permission to convert the check (utilizing NACHA procedures) into ACH format through an approval screen, thus beginning the process. Pay-Ease then sends the payments through the banking channels to process and transfer funds into the appropriate accounts.