The rapid digitalisation of today’s economy has fundamentally transformed the way people interact, work, consume entertainment and shop.

In the early days of the Internet, customers might get iffy about handing off sensitive information, such as their credit card details, to merchants online. Today, most people are comfortable letting e-commerce platforms store their payment details — all in the name of expedience and unparalleled convenience.

However, developing a frictionless user experience also has caveats: it exposes users to privacy and data breaches. Online marketplaces log transactions in the millions every day, making their data extremely lucrative and inviting to malicious actors looking to score.

As hackers make hay, companies rack up huge losses and suffer reputational damage. An IBM report found that data breaches resulted in a global average loss of US$4.45 million last year.

Developing a robust security framework is thus vital to maintaining customer confidence, ensuring business continuity and optimising for expansion.

Why 2C2P is secure

At 2C2P, we follow stringent security practices, ensuring the highest level of protection for our merchants and their customers. We have built a holistic and comprehensive end-to-end framework encompassing these four areas:

• Product security
• Infrastructure protection
• Security posture
• Compliance with standards and regulations

Product security

We use a security-by-design methodology in our product design and decision-making process and have a number of features to help our merchants protect their data.

Secure connections: We use the HTTPS encryption protocol with TLS version 1.2 to secure data in transit to/from our services, public websites and merchant web portals. We also regularly audit our implementation, such as SSL certificates, certificate authorities and supported ciphers, to ensure our security framework adheres to the most up-to-date standards.

Access and authorisation: From the merchant web portal, merchants can assign detailed roles to their employees to ensure access is provided with the least privileges.

Audit logs: Merchants can view audit logs of account changes and activity. These audit logs contain account records of sensitive account activity such as login time, logout time, and change of account information.

Infrastructure protection

Our servers are enforced with best-practice security configurations, and upgraded before end-of-life dates to ensure security patches are available and installed. Networks are segregated to limit the flow of data between servers to protect sensitive data.

Stored data: Credit card numbers or primary account numbers (PAN) are encrypted with AES 256 before storage. Cryptographic keys used for encryption/decryption are stored on separate devices and managed by a dedicated team.

Zero trust security: Employees who require access to corporate networks are authenticated by SSO with two-factor-authentication using a software-based token. After connecting to the network, additional verification is required to access internal systems.

Security posture

We maintain a strong security posture by understanding the status of our asset inventory and the level of preparedness to prevent, detect or mitigate security events.

Security teams: Our dedicated security teams comprise of individuals that specialise in different areas of security such as: networks, systems, applications and operations.

Security awareness: Our employees are required to complete security awareness training at least once annually, and developers are provided with secure application development training. Our employees undergo phishing exerises to learn and recognise phishing attempts and reporting to security teams.

Vulnerability management: Our security teams conduct penetration testing and regularly scan our infrastructure for vulnerabilities. Issues are remediated within pre-defined deadlines based on criticality.

Compliance with standards and regulations

We use the top security frameworks and standards to achieve a high level of security.

Payment Card Industry (PCI) requirements: 2C2P is fully compliant with Payment Card Industry Data Security Standard (PCI DSS) requirements and certified as a Level 1 Service Provider. Our 3D Secure products are fully compliant with Payment Card Industry 3-D Secure (PCI 3DS) requirements. We are assessed by a Qualified Security Assessor (QSA) at least once annually.

ISO 27001: ISO 27001 is an international standard focused on information security. 2C2P has established an Information Security Management System (ISMS) to protect information in a systematic way. We are certified by independent third party auditors at least once annually.

System and Organisation Controls (SOC) reports: SOC reports are independent third-party examination reports that demonstrate how 2C2P achieves key compliance controls and objectives. Our SOC 2 report describes the controls environment and audit of controls that meet the AICPA trust services criteria for security, availability, processing integrity and confidentiality.

CSA STAR: The Security Trust Assurance and Risk (STAR) Level 2 attestation is a third-party independent assessment of the security of a cloud service provider. The certification leverages the requirements of SOC 2 together with the CSA Cloud Controls Matrix (CCM) criteria - 2C2P has an independent attestation on the suitability of design and operating effectiveness of the controls relevant to the CSA CCM criteria.

Personal data protection: The ISO 27701 standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals. We are certified by independent third party auditors at least once annually.

Best practices for online payment processing

Cybersecurity protocols are essential to minimising data security breaches. Not all components are mandatory, but they go a long way in keeping these threats at bay.

PCI DSS compliance: This set of standardised security protocols were established by Visa, Mastercard, American Express, Discover and JCB to protect cardholder information. Businesses that accept credit card payments must comply with PCI DSS or risk being penalised.

Use 3D Secure: 3D Secure enhances e-commerce security by prompting for additional authentication information from the cardholder during the checkout process, cutting the risk of unauthorised transactions.

Implement tokenisation: This protects sensitive payment data by substituting the cardholder information such as PAN with a string of random characters, preventing hackers from extracting vital information even if they manage to access the payment data.

Implement a fraud monitoring tool: This tool uses various techniques, such as data analysis and machine learning, to monitor and block suspicious payment transactions. Use of a fraud monitoring tool helps to monitor and prevent fraudulent payment transactions.

About 2C2P

2C2P is a full-suite payments platform helping businesses securely accept payments across online, mobile and offline channels and providing issuing, payout, remittance and digital goods services.

With over 400 payment options ranging from credit cards to mobile wallets and an alternative payments network of more than 600,000 physical locations, 2C2P is the preferred payments platform of tech giants, airlines, online marketplaces, retailers and other global enterprises.

Get peace of mind and an added layer of protection for your business and customers by leveraging 2C2P’s award-winning secure payment platform. Chat with our friendly team today..