Security
Technical Security
Our payment and platform provider, The Currency Cloud, is ISO/IEC 27001:2013 compliant.
Physical security
The service operates on Amazon Web Services (AWS) which is certified under a number of global compliance programmes which underlines best practices in terms of data centre security.
- ISO 27001 Information Security Management Controls
- PCI-DSS Level 1 Payment Card Standards
- ISO 27018 Personal Data Protection
- SSAE16/SOC 1, SOC2 and SOC 3
- FIPS United States Government Security Standards
For the full list of AWS compliance programs see: https://aws.amazon.com/compliance/pci-data-privacy-protection-hipaa-soc-fedramp-faqs/
More information about AWS data centre controls may be found here: https://aws.amazon.com/compliance/data-center/controls/
Network security
We have dedicated systems in place to protect against Distributed Denial of Service (DDoS) attacks as well as man-in-the-middle attacks. We use reputable registrars to protect against domain hijacking and “phishing” attacks. Our platform undergoes regular penetration testing and has protection in place against common vulnerabilities like code injection attacks and cross-site scripting attacks.
Encryption
All network traffic is encrypted at a transport level and confidential information is encrypted at rest. We use best practices in terms of encryption key storage and security.
Information security
Our platform and operational security is certified under ISO/IEC 27001:2013, the international best practice standard for Information Security Management Controls which is independently audited.
We also comply with best practices and regulations pertaining to the management of personal data under the UK Data Protection Act (DPA), as well as European Union General Data Protection Regulation (GDPR).
Strong access control
Our platform provides a role based, hierarchical security model with two-step authentication and multi-factor authentication for sensitive systems. All access is logged and audited for suspicious behaviour.
Payment Control – Strong Customer Authentication (SCA)
SCA is covered as part of the EU Payments Services Directive (PSD2) and is a new European regulatory requirement to reduce fraud and make online payments more secure. Similar to how two-factor authentication (2FA) provides additional peace of mind for users logging into their Bell Rock platform, SCA performs a similar job when it comes to making a payment. It’s simply an additional security step where users will be asked to confirm it is them who have instructed the payment.