Vault Environment
Ezypay ensures robust security measures to protect you and your customers' payment information. All payment methods are securely encrypted and stored in the Vault Environment. The Vault adheres to PCI Compliance requirements and ensures the protection of sensitive payment data is kept isolated from Ezypay's billing services.
Payment details stored in the Vault is replaced with a token for all operations across the Ezypay billing services. This token contains only truncated information, preventing exposure of customer actual payment data.
Tokenisation and Detokenisation Process
Ezypay billing services only use the payment method token. Integrators will link the token to a customer to allow for secure and repeated use for multiple transactions.
When billing is scheduled, billing information and the payment method token are sent to the Vault. The token is then detokenize with actual payment details and sent to the payment provider for processing. This ensures the actual payment details is only expose to Vault and payment provider.
Ezypay Security Standards
The Payment Card Industry Data Security Standard - PCI DSS is a set of security standards created in collaboration with major credit card payment brands (such as Visa, MasterCard, American Express, Discover and JCB) to ensure that all companies accept, process, store or transmit credit card information in a secure environment. PCI compliance applies to any merchant that accepts credit card payments regardless of whether they use in-house or third-party software to process, store or transmit cardholder data.
Ezypay ensures PCI compliance by adhering to the following requirements:
| PCI Compliance Requirement | Ezypay Implementation |
|---|---|
| Ezypay as a subscription payment platform only works with tokens and truncated payment method data | Ezypay rely on Vault for detokenization and handling interactions requiring actual payment method details. Tokens contain only truncated payment method data: cardholder name, first 6 and last 4 digits of the card, last 4 digits of the bank account. |
| Ezypay Vault holds the full bank account and card details | The Vault stores full bank account and card details, working with processes requiring actual payment method details (e.g. billing, settlement). It is the main interface with Payment Service Providers (PSPs) and use the detokenized payment methods for any payment request. |
| All UI that captures payment methods are hosted in the Vault environment | Ezypay Hosted Payment Pages, receiving payment method inputs, are part of the Ezypay Vault solution. |
| Quarterly inactive card data disposal process | Inactive payment methods flagged as invalid for 13 months are automatically removed. |
| Deletion of card data based on customer request | When the "delete a payment method" API is called, the payment method is permanently deleted from the Vault. |
| No users are allowed to access full payment method details | Payment method tokens, containing only truncated information, are used across all Ezypay operations. True payment account information is never exposed outside the Vault |
Cardholder Data Retention & Deletion
Due to PCI requirements, for any payment methods that have not been used for at least 24 months or is not linked to any future invoices or subscriptions with a status of 'active' or 'billing issues', Ezypay will need to remove these payment method details from our vault.
Updated about 2 months ago