Post on 22-Jan-2017
APRIL2016
NextGenerationPaymentSecurityOverview
PlootoInc.NextGenerationPaymentSecurityOverview
Contents
Introduction.................................................................................................1Overview......................................................................................................1PaymentNetwork........................................................................................2CloudPlatformInfrastructure......................................................................3PlootoPlatform............................................................................................3HowPlootoWorks?.....................................................................................5BankAccountValidation..............................................................................5Conclusion...................................................................................................6AboutPlooto................................................................................................6
PlootoInc.NextGenerationPaymentSecurityOverview
Introduction
Paymentsecurityhasgottenalotofattentionlately.Manycompanieshavebecomevictimsoffinancialandsensitivedatabreaches.LackofITspending,complexarchitecture,technologyfragmentationaswellasantiquatedandlegacysystemshaveleftmanycompaniesvulnerabletocyberattacks.ThisispreciselywhyPlooto’snumberonepriorityissecurity.Ourcloudbasedsolutiondeliversthemostsecureandmostuptodatesecuritystandardonparwithmanytopfinancialinstitutions.PlootoconsistentlymeetsorexceedsthestringentsecurityrequirementsofeventhemostsecurityconsciousorganizationsincludingFortune500companies,theworld’slargestfinancialinstitutions,andotherglobalcompanies.ThefollowingoverviewwasdevelopedbyPlootoinordertogiveourcustomersandusersvisibilityontoourcontinuedeffortstoprovidethehighestlevelofsecuritystandards.
Overview
Plootoisabusinesspaymentmanagementplatform.Plootohasbeendesignedfromgroundupwithsecurity,complianceandawidesetofsecurityfeaturesinmind.Thisoverviewidentifiessecurityguidelinesandprocesseswehaveputinplacetoensurecontinuousdeliveryofasecureplatformthatsurpassescustomerexpectations.Plootoempowersbusinessestosend,receiveandmanagedomesticandinternationalpaymentsusingacloud-basedplatform,allwhilemaintaininganunprecedentedsecuritystandardaspartofitscoredevelopmentrequirement.Inthefollowingpages,weprovideanoverviewofoursecurityapproach,whichencompassesanumberofkeyareas,includingoursecuritycertifications&tests.
PlootoInc. NextGenerationPaymentSecurityOverview
PaymentNetwork
AllCanadianpaymentsprocessedthroughPlootoaresettledthroughourpartnershipwithmembersoftheCanadianPaymentAssociation(CPA).Plooto’spaymenttechnologyisbuiltontopoftheexistingbankinginfrastructurewhichisdevelopedandmaintainedbyCPA.CPAisanon-profitorganizationthatoperatesclearingandsettlementsystemsinCanadaandisresponsibleforthefollowing:
• Operateandmaintainnationalsystemsfortheclearingandsettlementofpaymentsandotherarrangementsformakingorexchangingofpayments.
• FacilitatestheinteractionoftheCPA’ssystemswithothersinvolvedintheexchange,clearingandsettlementofpayments.
• Facilitatesthedevelopmentofnewpaymentmethodsandtechnologies.AsatrustedCPApartner,weprocessourpaymentsusingthesametechnologyasusedbythebigfivebanks.PlootocanprocesspaymentstoanyBankorCreditUnioninCanadaandUS.AspartofourintegrationprocesswithCPA,Plootounderwentverificationsandapprovalswithinthefollowingkeyareas:FullcompanybackgroundandriskanalysisFullfinancialandbackgroundauditingofourbusinessprocessesandfinancialswaspreformedbyourbankingpartners.Securedatatransfer/communicationOursystemwasvalidatedforbothincomingandoutgoingdataexchangeusingsecurechannels.SecureFileTransferProtocolisdesignedbyInternetEngineeringTaskForce(IETF)andispoweringdataexchangeformostmajorfinancialinstitutions.SystemintegrationcompatibilityContinuoustestsareperformedtoensurepaymentinstructionsarereflectinguseractionsduringthepaymentcycle.Wealsorundailyteststoensurethatthesystemisresponsiveforbothrecipientandsender’sbankcommunications.InconjunctionwithCPArequirements,we’veimplementedadditionalin-housesecuritymeasuressuchaspolicybasedfundclearing,bankaccountownershipverificationaswellaspersonalidentityverificationforadvancedfeatures.
PlootoInc. NextGenerationPaymentSecurityOverview
CloudPlatformInfrastructure
AllofPlooto’sinfrastructureelementsarehostedbyMicrosoftAzurethroughitsInfrastructureasaService(IaaS)businessunit.Microsoft,withitsuniqueexperienceandscale,deliverscloudservicestomanyoftheworld’sleadingenterprisesandgovernmentagencies.Today,theMicrosoftcloudinfrastructuresupportsover1billioncustomersacrosstheirenterpriseandconsumerservicesin140countriesandsupports10languagesand24currencies.PhysicalsecurityAzureprovidesgeographicallydistributeddatacentersthatcomplywithindustrystandards(suchasISO27001)forphysicalsecurityandavailability.Facilitiesaredesignedtorun24x7x365andemployvariousmeasuresfrompowerfailuretonetworkoutages.Centralizedmonitoringisadministeredbyoperationspersonnel.AntivirusandantimalwareVirusandantimalwaresoftwarescansallproductionandtestingdeploymentsusingindustrycertifiedtoolsthatensurecleanandstableenvironment.Routinelyscheduledscansensurethatintheeventofabreachsystemswillremainthreatfree.NetworkandDataisolationLogicalisolationandsegregatedenvironmentsensureconfidentialdataremainsinaccessibletounauthorizedparties.EncryptingdataatrestandintransitAlltrafficwithinourapplicationisencryptedusingbuilt-incryptographictechnologyusingTDS(TabularDataStream)andSSL(securesocketslayer)whenstoredonAzure’sdatacenters.Thisensuresthatourdataisneverexposedtounauthorizedthirdparties.
PlootoPlatform
Plooto’ssecureplatformencompassesournetworkanddatasecurity,platformsecurityandworkflowsecurity.
Network/DataSecurity
• End-to-EndEncryptionAllcommunicationbetweenusersandPlootoisencryptedusingthelatestSecureHashAlgorithm2(SHA2)SSLCertificates.Thisstandardisbeingutilizedbytopfinancialinstitutionsandensuresnodataisinterceptedbyunauthorizedparties.
PlootoInc. NextGenerationPaymentSecurityOverview
• EncryptedInternalCommunicationAllinternalsystemdataremainsencrypted(usingSSL)topreventloss.
• DataEncryptionAllcustomers’sensitivedataisencryptedusingAES256bit(AdvancedEncryptionStandard).ThisstandardhasbeenwidelyadoptedbyCanadianandU.S.governmentsandisutilizedworldwide.
• DataatRestEncryptionAdditionallevelsofencryptionareappliedtoensuredataisencryptedwhileresidingonphysicalhardware.
PlatformSecurity• StaffBackgroundChecks
OursupportandsecuritypersonnelgothroughathoroughbackgroundchecksbyGardaInc.
• CustomerDataAccessMonitoringAccesstothedatabypersonnelismonitored,auditable,enforcedbyrolesandissecuredthroughmulti-factorauthentication.
• ProactiveSecurityPolicyPlootoenforcespasswordpolicywithenoughentropytobenexttoimpossibletobreak.PasswordsarenotstoredincleartextbutratherhashedusingPBKDF2(Password-BasedKeyDerivationFunction2).Failedauthenticationattemptsaretracked.Additionalattemptswilltriggersecurityverificationandcouldcausetheaccounttobelockedinseverecases.
WorkflowSecurityCustomerswhowanttomirrortheirexistingworkflow(multipleco-signers,accountants,complianceetc.)caneitherselectoneofourdefaultpermissionsorcreatetheirown.
• Choosewhoinitiatespayments• Choosewhoaddsbankaccounts• Choosewhoaddspayees• Choosewhoapprovespayments• Choosewhocustomizescompanyinformation
PlootoInc. NextGenerationPaymentSecurityOverview
HowPlootoWorks?
Plootoworkswithexistingbankinginfrastructuretoreducefrictionandcosts.
Whenatransactionissubmitted,Plootosendstheinstructionstothebankstohavethemtransferthefundsbetweentwoaccounts.Paymentinstructionsaresubjecttosophisticatedalgorithmsbanksuseinordertovalidatetheinformation.
BankAccountValidation
Financialinstitutionsusesophisticatedmathematicalalgorithmstogenerateandauthenticateaccountinformationkeyedintotheirsystem.TransactioninstructionssubmittedbyPloototoabankarevalidatedusingthesealgorithms.ModulusCheckDigitRoutinesusechecksumformulasinordertovalidateaccountnumbers.TheModulus10routineisusedbyPlooto,financialinstitutionsandgovernmentagenciesasamethodofdistinguishingvalidnumbersfrommistypedorotherwiseincorrectnumbers.Thesealgorithmswerespecificallydesignedtoprotectagainstaccidentalerrorswhenenteringbankaccountinformationelectronically.Modulusroutinesinvolvemultiplyingsomeorallofthedigitsinthebranchand/oraccountnumberbyfixednumbers(theweightingfactors).Thereisaspecificweightingfactorforeachdigitusedintheverificationprocess.Theresultofeachmultiplicationissummedandthetotaldividedbyaspecificmodulusnumber. Intheeventbankinginformationisreportedasinvalid,thePlootosystemflagsthetransactionandelectronicallynotifiesoursystemadministrators.
PlootoInc. NextGenerationPaymentSecurityOverview
Conclusion
Plooto’ssecurityapproachiscomprehensive.Wemeetorexceednationalsecuritystandardsanddeliverexceptionalfinancialanddatasecurity.Ourcontinuousimprovementsandwellasclosepartnershipwithleadingtechnologyandpaymentprovidersdemonstratesourcommitmenttoworld-classsecurity.Weconsiderourcustomers’securityprioritynumberone.Oursecurityapproachencompasseseverythingfromourpeopleandprocessestoourplatformandparticipants–senders,receiver,partnersanddevelopers.Ourrobuststrategyallowsustoensuretheconfidentiality,integrity,authenticity,andnonrepudiationofourcustomers’paymentinformation,andenablesustodeliver99.99%averageuptimeandavailabilityofoursystem.
AboutPlooto
Plootoisabusinesspaymentmanagementplatform.Plootoautomatesandstreamlinesthewaycompaniespayoneanother.PlootowasnamedoneofCIX’stop20mostinnovativecompaniesinCanada.ForInquiries:Local(416)479-9656|Toll-free1(844)4PLOOTO(475-6686)|Plooto.co|@PlootoIncAddress:111RichmondStreetWest,5thFloor,Toronto,ON,M5H2G4Copyright©2015-2016Plooto,Inc.Allrightsreserved.Plooto,thePlootologo,aretrademarksorregisteredtrademarksofPlooto,Inc.inCanadaandothercountries.Allothertrademarksandregisteredtrademarksarethepropertyoftheirrespectiveholders.