Compliant with the Payment Card Industry Payment Application Data Security Standard (PA-DSS). Payments Entities’ hosted environment and sensitive data is protected by shared hosting.
Uses Transport Layer Security (TLS) v1.1 and v1.2 protocol which provides a secure and reliable connection between the Web Server and the client’s PC. TLS allows encryption of data through symmetric cryptography, with unique keys generated for each connection.
The Web Server uses Secure Sockets Layer (SSL) – a public/private key based 128-bit encryption system that enables us to secure all packets of information transferred between the Web Server’s secured directories and the client's PC over the Internet.
Strict session management mechanism in place to avoid insecure access and hence protect all resources from unauthenticated and unauthorized users.
Prevents unauthorized access to web interface, after defined invalid login attempts. This way any brute force attack to login into the website will fail as the account will be blocked only after defined invalid attempts; thereby greatly reducing the probability of attacker getting into the system.
If the customers leave their session open and leave the computer, the web server will automatically close the session after some duration of inactivity. The back button on the browser will not work after the session has closed. The system administrator can modify the length of the session timeout.
Whenever Communication of data or PIN block of transactions is done within or beyond the platform, it is encrypted so as to ensure that it cannot be intercepted and comprehended by unauthorized users.
For Payment Transactions, response details (Customer ID, PAN, payer ID) in logs are encrypted.
Connection strings are encrypted and decrypted by HSM. Web Service URL, User ID and Passwords are also encrypted.
To avoid fake activities and misuse of user’s data, the platform keeps user secure information (user emails, secret answers, etc.) in an encrypted database. Database connection strings and URL of web services are also kept encrypted in configuration files. Checksums are also used to ensure data integrity of sensitive data and protect it from updating from outside the platform.
Requirement for clients to permit TCP port number 443 (https port) only for our platform operations. The Firewall will allow this port for the operation of platform, and any other configuration or setting of any security related hardware or software will be the client’s responsibility.
Uses firewall to deny unauthorized remote access to the private network via internet by placing filters between private network and internet. Proxies to limit access of internal clients to external internet servers are also set up.
A secured session module is used which generates and verifies session IDs during a user login session so as to avoid man-in-the-middle attacks and session hijacking techniques.
Sensitive data is always masked whenever it is displayed on web interface.
Asks user for E-token which is a PIN different from user login password or secret keyword. Only software based E-tokens are supported. Proprietary algorithm is used to generate E-tokens.
Captcha can be used in order to prevent automated attacks the internet banking portal. Our platform supports addition of captcha on login and registration pages in order to prevent automated registration or login attacks.
User passwords are hashed using MD5, SHA1 and SHA256 algorithm. HMAC algorithm is also supported in password generation.
Complete activity log of each and every activity performed through Front End or BackOffice application is maintained in a secured database. This way all the activities of each and every user can be tracked. However, it does not store any confidential information of the customer such as the E-token, secret answer, password, etc.
A front end application user is required to set a secret question and answer. This secret question/answer combination is used for different security related operations such as Forgot Password.