Cyber Security

Last Updated: Nov 2024

Cyber Security Overview

Ezypay understands how important data security is to our merchants and customers. Our secure processing environment has been designed to ensure that we safeguard the sensitive data and transactional information of our partners, merchants and their customers.

Our quality assurance approach to cyber security ensures we provide a safe and secure processing and data storage environment, designed to meet all legislative and industry body requirements, as well as Ezypay’s Acquiring and Banking Partner obligations around data security.

We continuously monitor our systems, applications, and transactions to ensure ongoing compliance. We have structured teams across Merchant Operations, Engineering and Compliance that drive both our external quality testing and audits, and our internal processes and self-assessment activities to identify and manage business and processing risk.

Ezypay is a Payment Card Industry Data Security Standard (PCI DSS V4.0) Level 1 certified service provider.

The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

The core principles of the PCI DSS are to:

Build and maintain a secure network
Protect cardholder data and encrypt transmission of cardholder data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy

For more details on the PCI DSS requirements please visit the PCI DSS website https://www.pcisecuritystandards.org/

This document specifically relates to Ezypay Cloud billing platform and associated systems.

Data Security & Information Lifecycle Management

Gathering of Data:

Ezypay is a secure cloud-based platform. When a new entity applies to Ezypay for a Merchant Account, we apply the required Merchant Identification, KYB and Risk Assessment in alignment with applicable Anti-Money Laundering & Counter Terrorism Financing (AML/CTF) obligations or best practice (as may be applicable). This includes the collection of information, documentation pertaining to the Merchant legal entity, business & personal information about the merchant’s key stakeholders including Director & Ultimate Beneficial Owner and verify the information collected accordingly.

Successfully onboarded merchants, must adhere to the Ezypay Merchant Terms & Conditions, Privacy Policy and Identity and Access Policy. Merchants then add their customers into the platform in accordance with the respective policies.

All personal and sensitive data collected from the merchant, about the customers including but not limited to personal information, Card PAN data are held, maintained securely in the Ezypay respective system & vault in accordance with the Ezypay data policies.

Data Storage:

Ezypay utilises a unified security management data storage platform (Ezypay Vault) that securely stores all customer sensitive data. The data is retained to meet the PCI DSS security standard and is part of our penetration testing and annual PCI audit processes to ensure the ongoing security of our retained data.

All payment data is secured and stored in Ezypay’s secure vault environment. Credit card data and bank data is encrypted using 256 bit Advanced Encryption Standards (AES), in Galois Counter Mode (GCM). Merchants are returned a token. A randomly generated unique token (universally unique identifier (UUID)) is generated each time an encryption process is completed.

Transmission of data between both internal and external systems and applications is done via Transport Layer Security (TLS) with a minimum version of 1.2.

Retention and Deletion of Data:

We adhere to the applicable country Privacy, AML/CTF, PCI DSS v4.0 regulatory requirements for the retention of Merchant & Customer information collected during the business relationship and apply the required record retention, archiving, deletion requirements accordingly.

We take all reasonable steps to destroy or de-identify personal information collected if no longer required for the primary purpose it was collected for.

https://www.ezypay.com/privacy-security

Network Security

At Ezypay we apply multiple layers of security across our platform. We implement network firewall via a combination of AWS’ Network ACL and security groups to protecting our network.

Network ACL’s control inbound and outbound traffic. These are setup on our perimeter network. Security groups provide stateful firewalling for specific traffic to our each of our server instances, with a Web Application Firewall inspecting incoming traffic to our public endpoints.

Secure Development Practices

Ezypay's engineering team follow a secure development practice with well-defined processes:

All code is tested and code reviewed before release.
Before every release, our code is scanned for vulnerabilities
Merchant Passwords and Client tokens are stored separately from other data and is secured using industry best practice

All staff undergo annual PCI security awareness training, with our engineers also completing annual secure coding standards training to help to mitigate against vulnerabilities, including OWASP top 10 vulnerabilities, for instance.

Audit Assurance & Compliance

As a PCI DSS certified business, we commit to our PCI DSS obligations by performing internal Quarterly review checks and engaged a recognised and approved leading Cyber Security consultancy for our Annual PCI-DS Qualified Security Assessment reviews. They work with Ezypay to provide external compliance audits and certification outcomes. Ezypay is issued with an Attestation of Compliance (AOC) at the conclusion of the successful audit. The AOC is renewed annually via a separate detailed audit process. We continue to successfully maintain our PCI DSS certifications.

Our current AOC: Ezypay PCI DSS V4 AOC 2024 – AOC available upon request - help@ezypay.com

Our Quality Assurance activities include:

Bi-Annual system Penetration Testing
Pre-audit Assessment
PCD-DSS Annual Audit and re-certification
Internal Quarterly PCI Review: Risk Log Review and Updates

Business Continuity Management & Operational Resilience

Ezypay’s platform is built on Amazon Web Services (AWS) cloud infrastructure and is deployed across multiple availability zones within AWS. This means that we have redundancy and resilience in the event of an outage within one of these zones.

Databases are automatically backed up on a daily basis, and retained for 35 days, whilst database transaction logs are backed up every 5 minutes, allowing Ezypay, in the event of a disaster, to restore our databases to any point in time (5-minute window) within the last 35 days. The services and APIs underpinning Ezypay`s platform is stateless and self-healing; new instances are automatically provisioned in the event of a service failure. Ezypay’s services and Infrastructure follow modern CI/CD practices; applications and Infrastructure (Infrastructure as Code) are deployed via automated release pipelines with approval gates, allowing for rapid provisioning of both applications and infrastructure.

Change Control & Configuration Management Policy

Ezypay enforces change control processes for every change to our Vault environment. The purpose of this policy is to document the way that we manage changes that occur to Ezypay-maintained information technology in a way that minimizes risk and impact to the company. It will also define a Change as understood by Ezypay and describe the accepted Interim Change Management process.

Governance and Risk Management

Ezypay manages Governance and Risk Management processes across several teams: Engineering, Compliance & Strategy, Merchant Operations and Support. We have a number of policies outlined below that we follow as part of our overall approach to security

Information Security Card Holder Data Retention Policy: This policy outlines and documents the architecture and process for how Ezypay encrypts and stores Card holder data.
Ezypay IT Security Policy: The objective of this policy is to define standards of conduct when employing the use of information technologies. Information Technology is defined as all computing and telecommunications resources. This includes all technology, systems, data and networks implemented in private, hybrid and/or public cloud infrastructures, plus all other Ezypay IT assets implemented in cloud services as identified by IT department.
Vulnerability Remediation Process Governance: This document provides a governance framework for the process of vulnerability remediation in the context of Ezypay's Payment Card Industry Data Security Standards (PCI DSS) compliance efforts.
Risk Management framework: This framework document is to provide instructions for the identification and management of risk. It also provides an overview of the key concepts of risk management and outlines how the risk management process is practically applied by Ezypay.
PCI Quarterly Review: This document defines the process for DevOps / Engineering / IT team to ensure that Security policies and operational procedures are known and followed. Risk Register is reviewed and updated each quarter, or as required.
Vendor Assessment / PCI Compliance Certification: Technology vendor assessment is a controlled process within Ezypay. Prospective vendors must undergo an assessment prior to use and require approval from the Chief Technology Officer. Due Diligence includes understanding the data, services to be provided by a vendor and the impact this will have on the PCI environment, i.e., storage of Card Holder Data and protection of the Cardholder Data Environment (CDE).
Change Management Policy: This policy is to document the way that we manage changes that occur to Ezypay-maintained information technology in a way that minimizes risk and impact to the company. It will also define a Change as understood by Ezypay and to describe the accepted Interim Change Management process.
PCI Policy: As an organisation that accepts, processes, stores and transmits credit card information EZYPAY is required to comply with PCI DSS standards. PCI DSS outlines the minimum-security requirements for protecting credit card information within an organisation. This Policy describes EZYPAY's approach with regards to the PCI DSS requirements for the EZYPAY CDE.
Privacy and Security Policy: Ezypay’s Privacy Policy, which defines the personal information that is collected from you, followed by how we collect, store and use the data, and who we disclose the information to. In accordance with Australian Privacy Principals (APPs), this includes information on how Customers may access their information, modify their information or make a complaint in the unlikely event of a breach of privacy.

Identity & Access Management

Ezypay engages our Merchants and their Customers via our standard Principal (Merchant) Terms and Conditions as well as our Customer Terms and Conditions. The Merchant agrees to the Principal Terms and Conditions and their Customer agrees to our Customer Terms and Conditions.

Both Agreements bind the Merchant and their Customers to adhere to our Identity and Access Policy requirements. The Ezypay Identity and Access Policy document is available from our website at Ezypay Identity and Access Policy.

We employ robust Onboarding Checks and KYC validation as well as have a transaction monitoring framework to:

Identify and measure any behavioural changes within the merchant’s expected trading patterns
Review onboarded customers
Assess risk associated with the merchant`s requested Maximum Debit Value (MDV) and changes to the merchant’s company structure

Data centre and Infrastructure

Ezypay hosts all its servers, applications services with Amazon Web services (AWS).

AWS manages a comprehensive control environment that includes the necessary policies, processes, and control activities for the delivery of each of the web service offerings. The collective control environment encompasses the people, processes, and technology necessary to maintain an environment that supports the effectiveness of specific controls and the control frameworks for which AWS is certified and/or compliant.

AWS is compliant with various certifications and third-party attestations.

These include: SAS70 Type II, PCI DSS Level 1, ISO 27001, FISMA, others can be found here https://aws.amazon.com/compliance/programs/

Security Incident Management, E-Discovery & Cloud Forensics

We have a documented incident response process that is audited annually. Mock incidents are performed annually to ensure staff are familiar with the process.

We have teams rostered on after hours so that we have 24/7 coverage to respond to incidents.

Threat and Vulnerability Management

We have a Vulnerability management process that maintains the integrity of the network, platform and applications.

Vulnerabilities are reviewed weekly by our DevOps engineers and any vulnerabilities are reviewed via the Common Vulnerability Scoring System (CVSS) and addressed by criticality.

The process includes quarterly external vulnerability scanning and Bi-annual network penetration testing.

All Ezypay devices and applications have Multifactor authentication enforced and enabled with Anitvirus and Anti-malware software installed.