FundMyPlanet has established a security and risk management program to securely accept payments over the Internet. We have implemented the following policies, procedures and strategies to ensure the safest online experience:
- Our service providers are PCI DSS compliant
We maintain access control lists (ACLs) a firewall and router configuration to protect cardholder data. Firewalls ACLs are utilised to restrict access to systems from external networks and between systems internally. By default all access is denied and only explicitly allowed ports and protocols. We do not use vendor-supplied defaults for system passwords and other security parameters. We Encrypt all non-console administrative access such as browser/Web-based management tools. Our shared hosting provider is PCI DSS compliant.
Protection of cardholder data
We do not store any cardholder data. We do not display card PAN (Primary Account Number). Our cardholder data security and PCI DSS are mitigated by the utilisation of remote Stored Card Tokenization. Cardholder information is securely exchanged using innovative tokenization technology and stored remotely in a PCI DSS compliant encrypted database. Tokenization and data encryption are both widely recommended methods of data protection that significantly reduce cardholder data exposure.
We encrypt all transmissions of cardholder data across open networks. We have installed SSL/TLS encryption to safeguard sensitive cardholder data during transmission over our public network ensuring safe and reliable transactions. We ensure wireless networks transmitting cardholder data or connected to the cardholder data environment use industry best practices by implementing strong encryption for authentication and transmission. We prohibit the transmission of unencrypted PANs by end user messaging technologies.
We have implemented third party anti-virus mechanisms on business computers and servers. We ensure that our anti-virus mechanisms are current, actively running, and capable of generating audit logs. We ensure that all system components and software have the latest vendor-supplied security patches installed, and deploy new patches regularly (minimum monthly deploy). We have developed Rainforest Connections to industry best practices and secure coding guidelines. We will continue to incorporate information security and review custom application code to identify coding vulnerabilities throughout the software development life cycle. We follow change control procedures for all changes to system components.
Access control measures
We maintain strong access control measures. We do not have any systems components that enable access to cardholder data. We do not keep any physical copies of cardholder data. We assign a unique ID and collect an email address for each person with computer access to the FundMyPlanet web application, whether they be an administrative or end user. We employ Secure Shell (SSH) for secure data communication, remote shell services and command execution. We render all passwords unreadable for all system components both in storage and during transmission using strong cryptography based on approved standards. We ensure proper user authentication and password management for non-consumer users and administrators on all system components. We use a visitor log to maintain a physical audit trail of visitor information and activity and keep records for a year.
We maintain a multi-faceted fraud detection strategy to combat the most common types of card fraud. The first layer includes standard card association/scheme-based verification tools. The second layer includes a series of fraud checks and business rules in accordance with our business practices. The capabilities of our Fraud Detection Strategy Include:
- Card BIN range blocking
- IP country and IP range blocking
- Suspect card identification
- Trusted card identification
- 3D secure "authentication state" risk rule
- CSC and AVS risk rules (based on AVS and CSC results)
Monitoring and testing of networks
We track and monitor all access to network resources. We have established a process for linking all access to system components to each individual user. We have synchronized all critical system clocks and times. We have implemented a daily review of the logs for all system components related to security functions. We retain audit trail history for at least one year.