Why hire an internal IT person, when you can have an entire team of IT experts for a fraction of the cost?
Cybersecurity Against All Threats
SMD Webtech is committed to helping our merchants stay secure and compliant. We undergo rigorous audits, testing, and inspections to maintain the highest level of compliance in the industry. Our talented team of in-house developers, systems engineers and security administrators work to maintain strict security standards at all times.
This document outlines the steps SMD Webtech takes to secure all merchant and customer data, software and applications, and physical hardware that we utilize to operate our business and secure yours.
Network Setup
Our firewalls and servers have both Intrusion Detection (IDS) and Intrusion Prevention Systems (IPS) to evaluate incoming traffic and protect against harmful actions.We use recommended guidelines to increase system security.
System Updates
The servers and networks appliances are regularly updated to ensure all software is up to date. If a major vulnerability is discovered, patches are applied immediately by SMD Webtech UK’s system and security team. Per our compliance, all updates are logged as part of our change-control policies.
Firewalls and IDS / IPS
SMD Webtech's firewall includes both an IIDS and IPS to protect against both active and passive threats. The systems monitor network traffic and look for any unusual behavior, abnormal traffic, or malicious coding and prevent exploitation of any potential vulnerabilities.
Data Management
SMD Webtech UK protects sensitive data by keeping it separate from web servers. This is accomplished using a variety of available tools, including our Card Vault, SMD Webtech.js, hosted payment pages and developer API functionality.
Encryption
SMD Webtech encrypts all sensitive merchant data and cardholder data using the Advanced Encryption Standard (AES) with 256-bit keys. To meet PCI compliance requirements, all sensitive cardholder fields, including name, card numbers, expiry dates and cardholder addresses (for AVS) encrypted when stored. SMD Webtech does not store card-verification-values (CVV), PIN, EMV, nor mag data.
Information in Transit
To protect data in transit, SMD Webtech requires TLS version 1.2 connections to its servers, using a limited set of strong cyphers. This ensures that data is encrypted in transit and maintains its integrity. Outdated standards include SSLv3, TLSv1.0, TLSv1.1 are no longer active on our systems.
SMD Webtech's Cyber Security Practices
Robust security practices protect sensitive data, build trust with customers, maintain business continuity, comply with legal and regulatory requirements, and protect your reputation.
Authentication & Access Controls
To protect access to SMD Webtech’ UKs data and systems, our company implements strong access controls. This includes the requirement for VPN to all internal systems, controlled definitions of user roles, and the requirement of multi-factor authentication. Local and centralized logging ensures that an audit trail of all network access and activity is available. Internal office networks are kept separate from SMD Webtech UK platform environments, and do not feature any wireless accessibility. Internal systems are also only accessible by employees who are locally and physically connected to the network.
Data Storage
Transaction, cardholder and merchant data is stored on segregated pools of self-replicating database clusters. Our database server architecture ensures up time and load balancing of database servers. Sensitive cardholder data is stored for up to 24 months of inactivity. Data between merchants is logically separated and inaccessible. All merchant data access by authorized SMD Webtech staff is logged. Data from customers and merchants is stored separately from the SMD Webtech UK web servers. Keeping the databases separate from the web servers provides an additional layer of security and is a practice required as part of our PCI-DSS compliance requirements.
Deny-All Policies
Firewalls deployed to our server environments have deny-all policies enabled by default. All connections for inbound and outbound traffic must be approved and added as new firewall rules.
Physical Data Access
Data centers have 24/7 onsite security. Physical access to environments are limited to key personnel, with multi-factor authentication, including biometrics.
Daily Backups
Databases are automatically backed up daily to protect merchants against lost, corrupted, stolen or destroyed data. Backups are performed between data centers, as well as offsite. This is part of our commitment to ensuring ongoing business continuity.
Password Protection
SMD Webtech UK uses strict password standard to ensure security. Software settings controlled by SMD Webtech UK ensure that passwords are always complex in nature, changed regularly, hashed and salted, and that users cannot re-use their previous 13 passwords.
We Stop Breaches
SMD Webtech is a Level 1 PCI-DSS compliant service provider, which means we undergo rigorous on-site audits, vulnerability scanning, penetration testing, and inspections to maintain the highest level of compliance with the Payment Card Industry Data Security Standard (PCI-DSS). Security practices from the National Institute of Standards and Technology (NIST) are also followed to maintain the highest level of data security compliance.
SMD Webtech devotes significant resources to ensure the most up time possible for our networks and merchants. These safeguards include redundant data centers with 6 upstream fiber internet providers as well as backup power generation and dual-path power distribution systems. Data centers are in unmarked locations, with sites selected for low-risk geographic locations.
SMD Webtech has both a primary and a backup data center to protect merchant data. The backup data center is configured for hot-data replication of the primary data center, replicating data in real-time. In the event of an incident impacting our primary data center, SMD Webtech can move all services and data processing operations to the backup environment with minimal downtime and data impact.
SMD Webtech employs a talented team of in-house programmers who develop all our systems and applications. Building applications in-house ensures that they are built to SMD Webtech's strict security standards and allows our team to work closely with QAs and security staff to identify and correct any potential issues before they become a problem.
