Security Practices at InterPayments

What We Believe

We believe in trust through transparency, putting customers and partners first, and doing the hard things. This dedication informs our approach to Information Security. As such, we are committed to providing you with assurance of our security practices and answers to the questions most frequently asked during due diligence. We understand that you may have unique priorities or requirements. If you have a question that is not covered in this brief, please contact your Account Executive.

Security Architecture Principles

  • ISO 27001 and NIST 800-53 Standards-Based Approach
  • Least Privilege Principle
  • Defense in Depth
  • Zero Trust Architecture
  • Low Attack Surface
  • Security and Privacy by Design

Product Security

Access & Authorization

InterPayments supports Enterprise SSO and traditional username and password for login.

Personally Identifiable Information (PII)

InterPayments respects individual privacy and limits collection to first name, last name, and email address which are used for the purpose of authentication and authorization. This information is encrypted in-transit and at-rest and is never shared with third parties.

Network Protection

InterPayments uses various forms of network protections such as security groups, firewalls, web application firewalls, and DDoS (Distributed Denial of Service) protection/mitigation techniques to limit network access and prevent abuse.

Encryption

InterPayments encrypts all Testing Content in-transit using TLS (Transport Layer Security) 1.2 or greater and at-rest using AES-256). Cipher suites follow industry standards for security and performance (also known as strong ciphers).

Secrets

InterPayments uses a well-defined process to guarantee secret confidentiality. Secrets are environment specific and not permitted to be stored in source code.

Security Testing

InterPayments software undergoes regular Software Composition Analysis (SCA), Static Application Security Testing (SAST), and Dynamic Application Security Testing (DAST). Third party penetration testing is conducted annually.

Secure Software Development Lifecycle Plan (SSDLC)

InterPayments is developed using industry best practices for secure software development, including the use of automated SDLC processes. Changes are documented, reviewed, and approved prior to execution. Changes are evaluated in non-production environments and validated using standard QA (Quality Assurance) testing processes. Infrastructure changes follow the use of Infrastructure-as-Code best practices.

Resilience

InterPayments leverages highly available architectures deployed across geographically diverse zones and regions to maximize availability. This includes static data repositories which are replicated across geographies. A publicly available status page is available at InterPayments

Backups

InterPayments is backed up daily to provide recovery capability in the event of unexpected data loss. Backups are kept for 30 days. Disaster recovery plans and processes are evaluated at least annually.

Third-Party Attestation

InterPayments works with an independent, third-party auditor on an annual basis to verify our controls to ensure the continuous security, availability, confidentiality, and integrity of our customers’ data according to the ISO 27001:2022 standard.

Organizational Security

User Access

Access for our remote workforce is governed by the privilege of least privilege required. Prior to joining, all new employees must undergo a standard background check. Upon joining all access requests are logged and approved by authorized personnel. Multi-factor authentication (MFA) is enforced on critical services.

Passwords

Internal password policies are aligned to the NIST (National Institute of Standards and Technology) 800-63B standard which enforces length, complexity, and restrictions on commonly used password variants. Secure password vaults are provided to all employees.

Mobile Device Management (MDM)

MDM software enforces controls that help ensure our remote workforce’s devices stay safe and secure. Examples of enforced settings include full disk encryption for all devices, use of endpoint protection, and firewalls, along with automated system updates and patches to approved versions.

Security Incident Detection and Response

Incident response is guided by a regularly evaluated and continuously refined SANS-based Incident Response Plan. The Information Security team employs a suite of tools and technologies used to detect and alert people to suspicious activities. Alerts are routed to the Security team and follow Incident Response Plan procedures. Breaches of customer data are reported within 72 hours.

Security Awareness Training

Security awareness training is delivered to all employees at onboarding and annually thereafter. In addition to awareness training, development employees also take OWASP (Open Web Application Security Project) focused secure coding training at onboarding and annually thereafter, anyone with access to cardholder data also receives supplemental training. Monthly phishing exercises are also conducted to assess the training’s effectiveness on security culture.

Business Continuity and Disaster Recovery

Business Continuity and Disaster Recovery Plans are maintained and regularly evaluated.

Vulnerability Management

Vulnerabilities are managed through a Vulnerability Management Program aligned to industry best practices. Emerging threats are triaged, classified, and remediated upon prescriptive timelines. A responsible disclosure process has been established to allow for confidential submission of potential vulnerabilities. A formal bug bounty program with financial rewards is not offered currently.

Risk Management

Risk is continuously managed through a Risk Management Program aligned to industry best practices. Risks are identified, analyzed, evaluated, treated, and monitored according to policy. Formal assessments are conducted at least annually, and all risks and exceptions are captured and logged.

Vendor Reviews

Vendors are managed through a Vendor Management Program aligned to industry best practices. Each vendor is evaluated and classified based on assigned risk. Critical vendors are assessed at least annually and subjected to enhanced security evaluations to ensure compliance with security practices.

Information Security Policies

InterPayments maintains a library of policies and procedures that align with ISO27001:2022 standards.

Frequently Asked Questions

Does InterPayments need access to a customer’s network or systems?

InterPayments does not have access to the customer’s systems.

Has InterPayments experienced a security breach in the past three years?

No, it has not.

Are customers permitted to perform security testing against InterPayments services?

No, they are not. Results of Independent Penetration testing can be received for customers that have signed a current NDA (nondisclosure agreement).

Does InterPayments provide availability data publicly?

This can be found on our status page.


Email security@interpayments.com for further information.