C.N. Wylie Group of Companies operate a PCI (Payment Card Industry) Data Security Program compliant infrastructure. Our compliance report is available upon request. Many of our customers now require this document as part of their annual audits.
The C.N. Wylie Group of Companies includes Strategic Profits Inc., Gaine Center for Spiritual Progress Incorporated., Helpforcharities.com Inc., SPIguard Security Solutions Inc., PayPaq Solutions Inc.
Customer security and privacy is the Number One Priority at C.N. Wylie Group of Companies. Consumers want absolute assurance from the businesses they are dealing with that their personal identifiable information is safe. At C.N. Wylie Group of Companies we recognize the importance of security when processing confidential information online and are working with leading industry organizations to ensure our security is at the highest level available within the industry at any given time.
What is PCI Data Security Standard
The PCI data security standard is designed to help protect the integrity of the credit card systems and to help mitigate the risk of fraud and identity theft to credit card holders. Adopted by both VISA and Mastercard (see the PCI Security Standards Council), PCI applies to card association members, merchants, and service providers that store, process, or transmit cardholder data. The scope of compliance is on systems for authorization and settlement where cardholder data is processed, stored, or transmitted.
There are 12 requirements:
- Install and maintain a working firewall to protect data
- Keep security patches up-to-date
- Protect stored data
- Encrypt data sent across public networks
- Use and regularly update anti-virus software
- Restrict access by "need to know"
- Assign unique ID to each person with computer access
- Don't use vendor-supplied defaults for passwords and security parameters
- Track all access to data by unique ID
- Regularly test security systems and processes
- Implement and maintain an information security policy
- Restrict physical access to data
Website Security and Data Encryption
You and your customers are protected when accepting and processing orders online by using Digital Certificates (provided by Thawte or Geotrust or Verisign) to verify that the site you are doing business with is the site you think it is. The difference between Thawte and Verisign is cost only. A Thawte certificate costs approximately $125.00 US and Verisign significantly more. Paying more at Verisign does not give you any more security.
SSL (secure socket layer) uses the digital certificates to create a secure, confidential communications "pipe" between two entities. This is means all data is encrypted when it travels between the customer and the web server. At this time 128bit encryption is the industry standard. You can determine you are on a secure site when you see the locked lock at the bottom of your browser. You should also look for https in the website address. The "s" in https indicates a "secure" connection. If you can't see the "s" in the browser before sending your confidential information stop the transaction and email the vendor to find out why.
We recommend digital certificates by Thawte, GeoTrust and Verisign.
PGP is utilized for (128bit Cast) messaging, (160 bit SHA1) signatures and (1028-4096bit) Diffie-Hellman digital key exchange. PGP Data Suite is rated the highest in the industry to date. The technology is subject to Federal export laws in Canada and the United States. See www.pgp.com
Credit Card Processing
Encrypted information is processed via our PayPaq™ Server. Once a credit card is processed an email receipt is then sent to both the customer and the merchant. These receipts contain no credit card information. Any credit card information is stored in the PayPaq™ Server in a secure environment and is not accessible to the merchant. This is not a third party payment system. In other words there is no third party that holds your receipts for any period of time before they are released.
Physical Data Security
All sensitive data is housed in the C.N. Wylie Group of Companies Data Center The Center is an environmentally controlled room with redundant uninterruptible power supplies (UPS - protecting against A/C power surges, brownouts and lightning strikes), three-stage fire retardation system, physical perimeter and device security.
Operational Data Security
Firewall protection is employed that acts like a filter to allow access from only authorized sources and to authorized services. As an additional security measure outbound connections from the servers are permitted on an "as-needed" basis. Intrusion detection systems are also deployed on all servers and monitored for any suspicious behavior.
Redundancy: Redundant high-speed connections from the Data Centre to four separate Internet backbone points via completely independent local loop connections.
A Failover database server is also provided should any problems arise with the PayPaq™ server that requires a shut down or any type of failure. This assures 99.7% uptime for our customers' transactional ability.
Backup: Daily incremental, weekly full, and for one year monthly data backup. Full dual backup copies are made for each week and stored both on-site and off-site. Ethical Hacking on the system is also routinely performed.
Canadian Privacy Legislation
C.N. Wylie Group of Companies stores no financial information, other than the transaction scripts and forms, on our servers. All transaction information is stored on the PayPaq server. The rest of the details (name, address, etc.) are passed on to the customer via email (encrypted email - optional) Only sales/shipping information is stored on C.N. Wylie Group of Companies web servers and is protected by a firewall. Upon request of the customer absolutely no consumer information will be stored on C.N. Wylie Group of Companies web servers. Upon request of the customer, encryption can be utilized regarding the sales/shipping information storage on C.N. Wylie Group of Companies web servers. Transaction details are available from the PayPaq™ server and the rest of the information is under the customer's exclusive control.
Fraud Protection Measures
Unfortunately in today's society, the technological advances combined by the opportunities the Internet brings, fraudulent transactions are becoming more and more common. To combat these types of fraudulent transactions - Visa and MasterCard have each developed a fraud protection measure - Verified by Visa and MasterCard SecureCode. In addition - we have developed two very effective fraud protection systems. They are the IPGuard and the GeoGuard.
Verified by Visa (VBV)
We've built and certified our own VBV product to assure that our customers would have the best in security and that we could keep our prices in line with our philosophy of delivering the highest quality and the lowest price possible. For more information please see the following: Verified by Visa
We've also built our own SecureCode product. MasterCard chose to operate a similar program utilizing the VBV platform to assure uniformity for merchants and cardholders. For more information please see the following: MasterCard SecureCode.
As many of these types of fraudulent transactions are not "one off" attempts (usually several credit cards are tried in one session) we have developed IP Guard. The IPGuard is a system that records the originating IP address of all transactions made. If a second transaction is attempted from the same IP address (this can be customized) within 24 hours it will be blocked at the server and the client will see a message stating that the transaction was not allowed and provide an email link or phone number for contacting the hosting organization. As most individuals want the ability to test a number of credit cards in one session we have found this system to be an excellent deterrent to using our clients as unknowing assistants and victims in these crimes.
GeoGuard is another product that can be used to reduce fraudulent transactions. GeoGuard is a geography based protection system, which can be implemented to only allow visitors from certain countries access to the donation form. All our clients have to do is tell us which countries they wish to receive donations from and we will block any attempt at a transaction from all other countries. If visitors from any of the blocked countries attempt to process a transaction they will be presented with a page outlining why they can't use the form and give them an email link or phone number to contact to arrange an alternate method of making a donation.
CVV is a 3-digit security code that is printed on the back of your Visa or MasterCard (or front of AMEX). The number appears on the signature strip after the last four digits of your account number. The signature strip may contain your entire account number or just the last four digits of your account number. The CVV2 will appear after the last four digits of your account number. CVV2 is used to verify that you have possession of the credit card you are attempting to use. The cost to enable this feature for your donation form is $75.00. Availability depends on whether or not your financial institution supports this function.
A CAPTCHA involves asking a user to complete a test. A common type of CAPTCHA requires that the user type the letters of a distorted image, sometimes with the addition of an obscured sequence of letters or digits that appears on the screen. Because computers are unable to solve the CAPTCHA, any user entering a correct solution is presumed to be human.