Credit card security involves multiple levels of security to insure that the data remains secure from the time that the customer provides the data to the sales representative. The data must be secure when
- entered into the order form
- transmitted for processing
- stored for future transactions
When a customer places an order and provides credit card information to the sales representative, the sales representative enters that information into the order form on our website. The order form is a secure page (see figure 1), meaning that the web browser encrypts the data using a special key before the data is sent to the web servers.
Figure 1 - Secure Order Form
You can verify that a web page is secure by checking for the HTTPS prefix on the URL and by checking for the lock icon in the browser. In Internet Explorer (IE), Safari and Chrome, the lock icon is displayed immediately to the right of the address bar (see Figure 1). In Firefox, the lock icon is displayed in the lower right corner of the browser window.
The presence of the HTTPS prefix and the lock icon means that the credit card data (as well as all of the other data in the form) is encrypted using a public key obtained from our web servers. Once the data is encrypted, it can only be decrypted by the web servers using a private key, which never leaves our web servers.
Once the credit card data has been received and decrypted by our web servers, it must then be transmitted to the credit card processor for billing. This is done using what’s called an Internet Gateway. We use Authorize.Net (https://www.Authorize.net/) for our credit card processing Internet Gateway. Authorize.Net is a solution of CyberSource Corporation, a wholly owned subsidiary of Visa. Before transmitting the credit card data to Authorize.Net, our server obtains a public key from the Authorize.Net server and re-encrypts all of the data to be transmitted. The data is then transmitted to the Authorize.Net server where the credit card transaction is processed and either an approval or denial response is received.
If the credit card transaction is approved, then the credit card data is again encrypted and the order information is stored on our database servers, which are NOT accessible by the public. This
ensures that, even if a hacker were to gain access to our database, the credit card data would be unusable.
Our server architecture is designed for redundancy and survivability and protected by a state of the art hardware firewall. The servers are located in a data center owned and operated by Savvis (NASDAQ:SVVS) and the firewall is managed by Savvis to
ensure continuous operation and security. Savvis has a private managed network with over 21,000 circuits around the world. Their facilities are connected to a tier 1 OC-192 Internet backbone with over 17,000 miles of fiber.
One of the key advantages of hosting in a tier-one hosting facility is that Savvis manages over 19,000 firewalls. Thus as new threats or attacks occur from malicious sources, these threats are quickly detected across the vast array of their customer’s firewalls allowing them to identify and respond to these threats before they can cause any damage. These 19,000 firewalls are managed by a team of security experts who only focus data security within the Savvis network. The firewalls are constantly monitored for any attacks and are constantly updated as new threats arise, providing an unparalleled level of security.
Our computers are housed in the Savvis OC2 (Irvine) data center (one of many in the US) which was built from the ground up for this purpose. This facility has multiple incoming and distributed power grids, multiple Internet access points and the building is cross braced to withstand an 8.0 earthquake. In the event of power grid failure, battery backup is available immediately then followed by 13 power generators located at the back of the building that can provide power for over 2 weeks before refueling is needed (see Figure 2).
Figure 2 - Savvis Data Center
Savvis’s world-class facilities feature:
- raised floors, bullet proof doors, unmarked building
- climate control systems with separate cooling zones
- seismically braced racks
- protected by some of the most powerful physical security available, including:
- advanced smoke detection and fire suppression systems
- 24/7 secured access with motion sensors, video surveillance and security breach alarms
- a redundant network of multiple fiber trunks from multiple sources
- redundant power on the premises
- multiple backup generators
All Savvis data centers feature 24x7 network and systems management by fully trained on-site personnel. The result is a physical and technical environment that can deliver the reliability and flexibility for mission-critical Internet operations.
By utilizing Savvis for our data center, we benefit from their reliability and redundancy, both in terms of power systems and data connections to the Internet, by the physical security system of the facilities and by the data security provided by their firewall management team.
Additionally, all sensitive data is stored in encrypted form on our database servers which are physically separate from our web servers and not accessible to the public (web servers, by their nature, must be accessible to the public).
And, finally, all sensitive data is encrypted whenever it is transmitted to or from our servers for secure delivery to end users’ browsers.