EXPLORINGNOTBORING Security and PCI Compliance

by | Feb 10, 2023 | Newsroom, Seeker Resources

If you’re a human being living in this modern world, especially if you fancy the internet, then security must be important to you. Taking measures to protect yourself online and offline will help minimize risk to your identity, yo’ monies, and your personal data. Helping you protect your online payments and activities when using our platform is something we take seriously.

So, let’s take a moment to talk about security and PCI compliance.

Yup, we know this is a boring subject, and we don’t do boring, BUT . . .

(Oh, my god, Becky. Look at her but. It is so big.) 🤣

It’s important to know exactly how we help protect your User data, especially your card data, when using exploringnotboring.com to purchase unique Activities, Events, and Products handcrafted by local experts near you & beyond. After all, security is critical for peace of mind when shopping online.

Now class, please open your textbooks to page 1,000,005 and let’s get started.

FYI—This article is directed toward protecting your card data, yet the security protocols outlined below help secure our entire platform, integrations, and User data, including the use of TLS, HTTPS, AES-256 encryption (Advanced Encryption Standard with a 256-bit key), and maintaining up-to-date code libraries to eliminate vulnerabilities.

Payment Card Industry Data Security Standards

To improve the safety of consumer data and trust in the payment ecosystem, a minimum standard for data security was created.

Visa, Mastercard, American Express, Discover, and JCB formed the Payment Card Industry Security Standards Council (PCI SSC) in 2006 to administer and manage security standards for companies that handle credit card data.

Before the PCI SSC was established, these five credit card companies all had their own security standards programs—each with roughly similar requirements and goals. They banded together through the PCI SSC to align on one standard policy, the PCI Data Security Standards (known as PCI DSS) to ensure a baseline level of protection for consumers and banks in the Internet era.

Anyone involved with the processing, transmission, or storage of card data must comply with the Payment Card Industry Data Security Standards.

There are over 300 security controls you must meet if you handle card data. That’s why EXPLORINGNOTBORING partners with Stripe, Inc for secure payments. You’ve heard of Stripe, right?

Stripe has the highest level of security available in the payments industry.

Why reinvent the wheel, right?

Stripe has been audited by an independent PCI Qualified Security Assessor (QSA) and is certified as a PCI Level 1 Service Provider. This is the most stringent level of certification available in the payments industry.

That said, PCI compliance is a shared responsibility and applies to both Stripe and EXPLORINGNOTBORING. When accepting payments, we must do so in a PCI compliant manner. The simplest way for us to be PCI compliant is to never see (or have access to) card data at all. Stripe makes this easy for us by doing the heavy lifting to protect your personal card information.

We simplified our PCI compliance with Stripe by:

✅ Securely transmitting card information directly to Stripe without it passing through our servers
✅ Serving our payment pages securely using Transport Layer Security (TLS) so that they make use of HTTPS
✅ Reviewing and validating our PCI compliance annually with the help of Stripe as our PCI advocate

TLS and HTTPS for Secure Connections

EXPLORINGNOTBORING forces HTTPS for all services using TLS (SSL) to protect transmitted data, including our public website to ensure secure connections.

TLS refers to the process of securely transmitting data between our platform that the customer is using and our server.

This was originally performed using the Secure Sockets Layer (SSL) protocol. However, this is outdated and no longer secure, and has been replaced by TLS. The term SSL continues to be used colloquially when referring to TLS and its function to protect transmitted data.

TLS attempts to accomplish the following:

  • Encrypt and verify the integrity of traffic between our platform and our server
  • Verify that the platform is communicating with the correct server. In practice, this usually means verifying that the owner of the domain and the owner of the server are the same entity. This helps prevent man-in-the-middle attacks. Without it, there’s no guarantee that you’re encrypting traffic to the right recipient.

Sensitive Data and Communication Encryption

We use Stripe, Inc for payment processing, so all card numbers are encrypted at rest with AES-256 (Advanced Encryption Standard with a 256-bit key).

Fun fact, our Google and Zoom integrations also require AES-256 in order to get approved and verified as an official app of the brand.

Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons can obtain plain text card numbers but can request that cards are sent to a service provider on a static allowlist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in a separate hosting environment, and doesn’t share any credentials with Stripe’s primary services including their API and website.

Whooee, that’s some secure payment processing, don’t you agree?

Us too! That’s why we use Stripe for all the heavy lifting to protect your card data. We save a token in our database instead of the card number and CVV.

Overview of PCI Data Security Standard (PCI DSS)

As mentioned previously, PCI DSS is the global security standard for all entities that store, process, or transmit cardholder data and/or sensitive authentication data.

PCI DSS sets a baseline level of protection for consumers and helps reduce fraud and data breaches across the entire payment ecosystem.

This is important work since there have been over 11 billion consumer records have been compromised from over 8,500 data breaches since 2005.

It is applicable to any organization that accepts or processes payment cards.

PCI DSS compliance involves 3 main things:

  1. Handling the ingress of credit card data from customers, namely, that sensitive card details are collected and transmitted securely
  2. Storing data securely, which is outlined in the 12 security domains of the PCI standard, such as encryption, ongoing monitoring, and security testing of access to card data
  3. Validating annually that the required security controls are in place, which can include forms, questionnaires, external vulnerability scanning services and 3rd party audits

Greater Security with Up-To-Date Code Libraries

Some of our other integrations, such as Zoom, require all code libraries within our application to be updated to the latest version. Maintaining up-to-date code libraries helps us eliminate known vulnerabilities to better secure our web app, including your User data, such as your card data.

Excellent Security is Complex and Challenging

When a business handles card data, it is required to meet each of the 300+ security controls in PCI DSS. There are over 1,800 pages of official documentation, published by the PCI Council, about PCI DSS, and over 300 pages just to understand which form(s) to use when validating compliance. This would take over 72 hours just to read. Shall we sign you up? 🤪

To ease this burden, we use Stripe, Inc for payment processing.

By using Stripe’s best-in-class security tools and practices to help us maintain a high level of security, we help protect every payment you make on exploringnotboring.com so you can focus on the fun part: enjoying new cultures, learning new skills, and having unique and memorable experiences.

So, get out there and enjoy new and exciting experiences with peace of mind!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Meet and Draw a Koala

ALL ARTICLES

Extenuating Circumstances Policy

Extenuating Circumstances Policy

This Policy explains how cancellations are handled when unforeseen events beyond your control arise after booking and make it impracticable or illegal to complete your reservation.

APPLY HERE

APPLY HERE

Join ENB mission control.

Categories

POOF! Like magic. You're in ✨ Check your inbox for confirmation.