Security is a key consideration when deciding on a payments processing platform. Here at 2C2P, we have put security at the centre of everything we do. You can find below the certifications and security measures that we have put in place.

PCI DSS Certification

2C2P is fully compliant with PCI DSS v4.0 and is certified as a Level 1 Service Provider, which is the key security standard within the payments industry.
Our company is regularly assessed for PCI DSS Compliance by Trustwave, a QSA for the Payment Card Industry Security Standards Council.

ISO 27001 Certification

ISO/IEC 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO/IEC 27002 best practice guidance. The basis of this certification is the development and implementation of a security program, which includes the development and implementation of an Information Security Management System (ISMS). 2C2P is certified compliant with ISO/IEC 27001:2013, which is verified by independent third party auditors.

ISO 27701 Certification

ISO 27701:2019 is the global standard for privacy information management. The certification consolidates multiple personal data protection laws such as GDPR, Singapore's PDPA, Thailand's PDPA, and the Philippines' Data Privacy Act. The basis of this certification is the development and implementation of a security program, which includes the development and implementation of Privacy Information Management System (PIMS). 2C2P is certified compliant with ISO 27701:2019, which is verified by independent third party auditors.

SOC Compliance

System and Organization Controls(SOC) Reports are independent third-party examination reports that demonstrate how 2C2P achieves key compliance controls and objectives. The purpose of these reports is to help you and your auditors understand the controls established to support operations and compliance. Our SOC 2 report describes the controls environment and external audit of controls that meet the AICPA Trust Services Security, Availability, Processing Integrity and Confidentiality Principles and Criteria.

PCI 3DS Certification

Payment Card Industry 3-Domain Secure(PCI 3DS) is a PCI Core Security Standard by PCI SSC, supporting the functionality of EMVCo’s EMV 3D Secure core security protocol and respective core function specification. PCI 3DS adds an extra layer of security that lets users authenticate themselves with the service providers or payment gateways during Card Not Present(CNP) transactions. It helps in reducing CNP payment frauds and assure security to payment service providers.

The three domains of 3D Secure for secure authentication are:

1. Merchant/Acquirer Domain (3DS Server) - Includes banks/merchant entities that handle payment request environments.
2. The Issuer Domain (3DS Access Control Server) - Ensures the applicability of authentication for a particular card and is managed by the issuer bank. Whether it comes under the 3DS environment or not is validated under this domain.
3. The Interoperability Domain (3DS Directory Server) - Is responsible for authentication, validation and maintenance of data flow among server entities.

2C2P's 3DS Server and 3DS Access Control Server products are PCI 3DS certified by independent third-party auditors.

CSA STAR Level 2 Attestation

The Cloud Security Alliance (CSA) designed the Security, Trust, Assurance, and Risk (STAR) program as an assurance framework for cloud service providers (CSPs). The CSA STAR Level 2 Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. The STAR Attestation provides for rigorous third party independent assessments of cloud providers.

Secure Communication

2C2P enforces the use of HTTPS for all services using TLS (SSL). This includes the following:

• 2C2P Merchant Portal
• APIs are served only over TLS

We regularly audit the details of our implementation - the certificates we serve, the certificate authorities we use, and the ciphers we support.

Data Encryption

2C2P encrypts all card numbers internally using AES encryption protocol. Card numbers and other sensitive data are stored, decrypted, and processed in an environment separate from the rest of the infrastructure (e.g. API, websites).
2C2P applies anti-DDOS solutions on all payment services and uses HSM for secure key management.

Fraud Protection and 3D Secure

2C2P uses an integrated fraud protection engine to detect and track fraudulent payments in real-time. We use the 3D Secure protocol in its various iterations, such as Verified by Visa, MasterCard Secure Code and J/Secure to ensure that you and your customers are protected from e-commerce fraud.

SECURITY POLICY

1. Overview

Protection of information handled by 2C2P is of utmost importance to us and should be yours too. The following terms used in this document relate to data provided to 2C2P by you, your customer or are received and accessed by you when using our services:

• “Personal Data” means information, whether true or not, about a specific person (e.g. not a company, legal entity or machine) who can be identified from that information, or from that information and other information that an organization has or is likely to possess and is transmitted to or accessible through our services.
• "2C2P Data” means details of the API transactions over 2C2P infrastructure, information used in fraud detection, aggregated or anonymized information generated from data and any other information created by or originating from 2C2P or our services.
• “User Data” means information that describes your business, operations, products, services and orders placed by customers.
• The term “Data” used without a modifier means all Personal Data, User Data, Payment Data and 2C2P Data.

2. Data Protection

2.1. Confidentiality

2C2P will only use User Data as permitted by this agreement, by other agreements between you and us, or as otherwise directed or authorized by you. You will protect all Data you receive through our services, may not disclose or distribute any such Data, only use such Data in conjunction with our services and as permitted by this agreement or by other agreements between you and us. Neither party may use any Personal Data to market to customers unless it has received the express consent from a specific customer to do so. You may not disclose Payment Data to others except in connection with processing transactions requested by customers and consistent with applicable Laws and Payment Method rules.

2.2. PCI Compliance

If you use Payment Processing Services to accept payment card transactions, you must comply with the Payment Card Industry Data Security Standards (“PCI-DSS”). The PCI Standards include requirements to maintain materials or records that contains payment card or transaction data in a safe and secure manner with access limited to authorized personnel. The specific steps you will need to take to comply with the PCI Standards will depend on your implementation of the Payment Processing Services.

If you elect to store or hold “Account Data”, as defined by the PCI Standards which includes customer card account number or expiration date, you must maintain a system that is compliant with the PCI Standards. If you do not comply with the PCI Standards, or if we, any Payment Method Provider or Payment Method Acquirer are unable to verify your compliance with the PCI Standards, we may suspend your 2C2P Account or terminate this Agreement. If you intend to use a third party service provider to store or transmit Account Data, you must not share any data with the service provider until you verify that the third party holds sufficient certifications under the PCI Standards and notify us of your intention to share Account Data with the service provider. Further, you agree to never store or hold any “Sensitive Authentication Data”, as defined by the PCI Standards (including CVC or CVV2) at any one time. You can find more information about the PCI Standards on the PCI Council’s website.

3. Security Controls

3.1. Our Security

2C2P is responsible for protecting the security of Data in our possession. and we will maintain commercially reasonable administrative, technical, and physical procedures to protect User Data and Personal Data stored in our servers from unauthorized access, accidental loss, modification, or breach, and we will comply with applicable Laws and Payment Method Rules when we handle User and Personal Data.

However, no security system is impenetrable, and we cannot guarantee that unauthorized parties will never be able to defeat our security measures or misuse any Data in our possession. You provide User Data and Personal Data to 2C2P with the understanding that any security measures we provide may not be appropriate or adequate for your business, and you agree to implement Security Controls (as defined below) and any additional controls that meet your specific requirements. In our sole discretion, we may take any action, including suspension of your 2C2P Account, to maintain the integrity and security of our services or Data, or to prevent harm to you, us, customers, or others.

3.2. Your Security

You are solely responsible for the security of any Data on your website, your servers or that you are otherwise authorized to access or handle. You will comply with applicable Laws and Payment Method Rules when handling or maintaining User Data and Personal Data and will provide evidence of your compliance to us upon our request.

3.3. Security Controls

You are responsible for assessing the security requirements of your business and selecting and implementing security procedures and Security Controls appropriate to mitigate your exposure to security incidents. We may provide Security Controls as part of the Services or suggest that you implement specific Security Controls. However, your responsibility for securing your business is not diminished by any Security Controls that we provide or suggest, and if you believe that the Security Controls we provide are insufficient, then you must separately implement additional controls that meet your requirements.

4. Fraud Controls and Fraud Case Management

4.1. Fraud Controls

While we may provide or suggest Security Controls, we cannot guarantee that you or customers will never become victims of fraud. Any Security Controls we provide or suggest may include processes or applications developed by 2C2P, its affiliates, or other companies. You agree to review all the Security Controls we suggest and choose those that are appropriate for your business to protect against unauthorized transactions, and independently implement other security procedures and controls not provided by us. If you disable or fail to properly use Security Controls, you will increase the likelihood of unauthorized transactions, disputes, fraud, losses, and other similar occurrences.

4.2. Fraud Case Management

When a fraud case is found, you will be guided to VOID or Refund if the products or services have not yet been rendered.

In worst case, if the sale has been completed before the fraud has been detected, you will be to send all the invoices or related documents to proof your sale.

If you are found to be involved in any fraudulent transactions, you will be terminated and to be reported to 2C2P Acquirer to include in negative files of Card Schemes.

Moreover, you are solely responsible for losses you incur from the use of lost or stolen payment credentials or accounts by fraudsters who engage in fraudulent transactions with you, including any related disputes. We may assist you with recovering lost funds, but you are solely responsible for losses due to lost or stolen credentials or accounts, compromise of your username or password, changes to your account and any other unauthorized use or modification of your 2C2P Account. 2C2P is not liable or responsible to you and you waive any right to bring a claim against us for any losses that result from the use of lost or stolen credentials or unauthorized use or modification of your 2C2P Account, unless such losses result from 2C2P's wilful or intentional actions. Further, you will fully reimburse us for any losses we incur that result from the use of lost or stolen credentials or accounts.

5. Risk Management

We follow appropriate card acceptance and data security procedure for all transactions under the applicable law and rules to reduce the financial risk or financial loss of 2C2P, merchant and/or customer and/or end-user from fraud transaction. We make the reasonable efforts to ensure a level risk management appropriate to the risk associated by:

• Establish separate application verification processes: one for low-risk merchants and a more stringent process for high-risk merchants.
• Requiring high-risk merchants to provide additional references.
• Establish specific approval criteria for low-risk merchants and high-risk to help ensure that the merchant has the financial capability to handle returns and chargebacks.

If during the performance of a review or monitoring, Fraud and Risk Team may become aware of changes in the merchant’s business model, products/services that are being sold, transaction patterns, etc. that affect2C2Ps’ integrity and financial risk, measures have to be taken. All merchant-URLs must be monitored on a continuous basis on possible violations due to prohibited or reputation harming content.

If these changes have an impact on the risk allocation an assessment of the mitigating measures must take place to establish whether there are still sufficient or considered too strict.

We may suspend access to any of our services and/or the right to hold funds and/or terminate the service and agreement at any time with immediate effect in the event we suspect, in the sole and absolute discretion of the us, in case of the followings:

• You are conducting illegal, unethical, or otherwise inappropriate behavior/activities.
• any misuse of the Services or breach of this Agreement.
• fraudulent activity is suspected.
• Financial Responsibility related to chargeback liability under the agreement.
• Policies and standards for collecting and holding reserves on high risk card-absent merchants. If the merchant ceases business, the reserve amounts should be sufficient to cover any future chargebacks.
• The business is ceased or threatened to cease to carry on.
• You become, threaten or resolve to become or are in jeopardy of becoming subject to any form of insolvency administration or arrangement, becomes insolvent or has a receiver appointed or goes into liquidation or be dissolved (save for the purpose of amalgamation or reconstruction).
• there is any change or threatened change of laws, rules, regulations, or circumstances which would materially and adversely affect the performance of the agreement.
• It is required by law, by order of a court of competent jurisdiction or by any rule, direction, or regulation of any regulatory or governmental authority to be disclosed.