Topics covered on this page
Our customers trust Opn Payments with sensitive information and expect us to act responsibly and safeguard their information with the highest levels of security. As a payments infrastructure provider, our commitment to maintain the highest levels of security is unwavering, consistently adapting to meet the demanding requirements of the global financial sector.
Compliance and Standards
Opn Payments is compliant with the highest level of the PCI standard - Level 1. This is the most demanding tier of security accreditation available within the payment processing sector.
At Opn Payments, our information security program adheres to the guidelines established by the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Our commitment to maintain robust security practices meets the stringent requirements of our enterprise customers.
Our organization consistently integrates advanced privacy and data protection methodologies, protocols, and industry-leading practices in accordance with every relevant regulatory framework such as PDPA, GDPR etc. To learn more about our ongoing efforts, please consult the privacy page.
To lessen the chances of compromise, we have data retention policies that minimize the data that we collect while complying with regulatory and business requirements.
Security is one of the critical considerations that guides all our product design and infrastructure decisions at Opn Payments.
Our dashboard supports multi-factor authentication (MFA) and onboards team members through secure account provisioning. Support requests from users must be verified before a support response is provided.
From the dashboard, users can assign multiple detailed roles to enable least-privilege access for their employees.
From the dashboard, users can also view audit logs of important account changes and activity, such as handling their sessions and see if anyone has logged in to their account and from where, and when.
At Opn Payments, we strictly enforce the utilization of HTTPS for all services employing Transport Layer Security (TLS), including our public website and user dashboard. We diligently evaluate every aspect of our implementation, such as the certificates issued, certificate authorities employed, and supported ciphers.
All server-to-server communication is secured through mutual transport layer security (mTLS). Our systems proactively block requests made using outdated or less secure versions of TLS, mandating the use of TLS 1.2 at a minimum for seamless connectivity.
Our engineers work with security experts early in a project’s life cycle. They gather security requirements and then perform tasks such as threat modeling and going through checklists of security best practices to ensure that new products are developed in a secure manner.
All of our code goes through multi-party review and automated testing.
We utilize a secure development pipeline that scans any change for security vulnerabilities. We use static code analysis, dependency scanning and automated vulnerability scanners to make sure that any change doesn't introduce bugs.
Vulnerability disclosure and reward program
We maintain a bug bounty program that compensates independent security researchers who help us keep our products secure. Refer to our page at HackerOne for more information on how to participate and submit bug reports.
Infrastructure and Processes
We consistently perform periodic vulnerability scans and penetration tests, and engage security firms for third-party assessments that help us promptly address any identified issues. Our systems are always monitored. Additionally, we proactively upgrade our server operating systems much in advance of their security end-of-life dates, ensuring that we remain protected against potential threats.
Card Data Environment
Our systems encrypt sensitive data, both in transit and at rest. The infrastructure for storing, decrypting, and transmitting primary account numbers (PANs) such as credit card numbers runs in an isolated environment and doesn’t share any credentials with the rest of our services.
Access to this isolated environment is restricted to a limited number of engineers and is reviewed regularly.
All card numbers are encrypted at rest with AES-256 and tokenized. Decryption keys are stored in a separate encryption module. None of the other internal servers can obtain plain text card numbers.
We leverage SSO, two-factor authentication (2FA) using a hardware-based token, and mTLS using VPN from Opn Payments issued machines to authenticate employees. After connecting to the network, sensitive internal systems and those outside the scope of the employee’s standard work require additional access permissions.
We monitor audit logs to detect abnormalities and watch for intrusions and suspicious activity. We constantly collect information about Opn Payment issued laptops to monitor for malicious processes, connections to fraudulent domains, and intruder activity.
We have a formal process for granting access to systems and information; we regularly review and remove inactive access. We also continuously monitor activity to determine what has been accessed and by whom.
Security Culture and Awareness
We mandate that every employee completes a monthly security awareness program, and we provide secure software development training to engineers. We run internal phishing campaigns to test everyone so that employees can recognise phishing attempts. We also provide multiple other internal resources such as a security champion program and more to strengthen the company's overall security culture.
If you have any further questions or want to know more about how we handle security at Opn Payments, do not hesitate to contact us at firstname.lastname@example.org