Security and Compliance
Data Security
Comprehensive measures safeguarding Data Integrity within vaultera switch
At vaultera switch, we prioritize data security and adhere to PCI DSS standards to protect sensitive information. Our platform is engineered with a robust multi-layered encryption framework to secure sensitive data, including API credentials, RSA certificates, database passwords, and Personally Identifiable Information (PII), throughout its lifecycle.
Benefits of Our Security Framework
Compliance and Trust: We comply with PCI DSS 4.0 and ISO 27001:2022 standards, ensuring international best practices for data protection. Enhanced Data Security: vaultera switch employs advanced encryption layers to secure data during transmission and storage. Fraud Prevention: Through secure card vaulting and tokenization, we minimize fraud risks. Operational Transparency: With merchant-specific encryption, we ensure your data remains confidential and protected.Handling Sensitive Data
The vaultera switch application employs multiple layers of encryption to safeguard sensitive card information during transmission between components as explained below. Our security framework is designed to meet PCI standards, ensuring maximum protection and confidentiality for all card-related data.1. Accepting Card Data
Card information is initially received from the vaultera switch SDK. This data is encrypted using SSL/TLS protocols, ensuring end-to-end encryption during transmission between the SDK and the vaultera switch backend. This guarantees that sensitive card data is secure from the point of collection.2. Storing Card Data (Vaulting)
When a payment is made using a saved card, the card details are securely stored in the vaultera switch Card Vault. This process involves multiple steps to ensure the confidentiality and integrity of the data:Card Data Preparation
Signing for Integrity: The vaultera switch App Server signs the card details using its private key, ensuring the data has not been altered. Encryption for Confidentiality: The signed details are encrypted using the public key of the Card Vault (locker), securing the data during transmission.Data Storage Process
Validation: The vaultera switch Card Vault validates the signed data using the public key of the vaultera switch App Server. This step ensures the integrity of the transmitted data. Decryption: The Card Vault decrypts the received data to make it usable for storage.Secure Storage
- The decrypted data is re-encrypted internally using AES encryption
- This securely encrypted data is then stored in the database
- The database itself is encrypted at rest, providing an additional layer of security for the stored information
3. Using Card Data for Analytics and Payment Operations
To provide insights and analytics without compromising sensitive information, only partially masked card details (e.g., the first 4 and last 4 digits) are sent to the vaultera switch Control Centre. This approach offers merchants a high-level view of transactions while preserving customer confidentiality.Data Encryption Overview
At vaultera switch, we place the utmost importance on safeguarding sensitive data, including external API credentials, customer information, and card details. Our application employs a multi-layered encryption approach to ensure security during data transmission and storage. Masked Transmission: All sensitive data remains masked during transmission and is never permanently stored on local systems. Multi-Layered Encryption: Data is encrypted at every critical juncture, ensuring robust protection against breaches.Key Management System (KMS) Encryption
vaultera switch employs AWS Key Management System (KMS) to securely manage sensitive keys required for the application’s operation. Startup Encryption: Sensitive keys, such as database passwords and RSA certificates, are encrypted at startup. Secure Storage: These encrypted keys are securely stored in environment variables or configuration files, ensuring their confidentiality and protection against unauthorized access.Key Manager Service Encryption
Merchant-Specific Encryption
vaultera switch utilizes a Key Manager Service to ensure the secure generation and storage of a unique Data Encryption Key (DEK) for each merchant. These merchant-specific DEKs undergo further encryption using a secrets manager, such as AWS KMS, to provide an additional layer of security.Data Encryption for Each Merchant Account
Data associated with individual merchant accounts is encrypted using the unique DEK for that merchant. This approach ensures robust protection of:- Connector API Keys: Critical credentials for third-party integrations
- Confidential Merchant Information: Business-sensitive data that needs stringent security
- Customer Personally Identifiable Information (PII): Data such as customer names, email addresses, and other sensitive details
The Encryption Process Ensures
Data Segmentation and Authorized Access Only: Each merchant’s data is encrypted with their specific DEK, ensuring that each set of data remains protected and is accessible only to authorized parties associated with that merchant. Data can only be decrypted by entities possessing the appropriate credentials tied to that merchant’s DEK.Concealing Sensitive Data in Logs
At vaultera switch, we take extra care to protect sensitive information, even in system logs. Our application framework uses a wrapper type to classify all sensitive data as Secret. Leveraging Rust’s Advantages: vaultera switch uses Rust, a strongly typed programming language, to create a robust mechanism (Secret<T>) for handling sensitive data.
Masked Logging: Instead of exposing sensitive details such as passwords or Personally Identifiable Information (PII), we log only the data type (e.g., *** alloc::string::String ***).
Source-Level Protection: By masking sensitive data at its source, we ensure that sensitive information is never inadvertently exposed, even in debug outputs or logs.