Enhancing Data Security: How Exact Payments Protects Onboarding Data

By Jeremy Smillie, VP of DevSecOps at Exact Payments

In an era where data breaches are not just threats but realities, protecting Personally Identifiable Information (PII) is more crucial than ever. At Exact Payments, we understand the magnitude of the responsibility of handling such sensitive data. As payment facilitators, we onboard new merchants and software partners daily, collecting extensive PII to verify individual and company identities. Given the high stakes, PII has become a highly lucrative target for cybercriminals.

Recognizing this, we don’t just meet the minimum security standards—we exceed them. Our advanced safeguards are designed to offer superior protection, setting a benchmark in the industry. At Exact Payments, we have meticulously engineered a multi-layered security architecture to ensure the rigorous protection of user data during the onboarding process. 

Secure Data Transmission

Our commitment to safeguarding Personally Identifiable Information (PII) begins at the initial data transmission stage. Our software partners transmit merchant data to our APIs using Transport Layer Security (TLS) encryption. TLS encrypts data during transit and offers enhanced security features to combat man-in-the-middle (MiTM) attacks. 

We implement TLS 1.3, which includes security enhancements such as enforcing “forward secrecy” to prevent the compromise of encryption keys between the server and clients. This feature ensures that each session has unique encryption keys, which are not derived from a set of long-term keys. Even if a server’s key is compromised, past communications remain secure because the session keys cannot be retroactively decrypted. Forward secrecy protects past communications against future compromises of secret keys or passwords.

Additionally, we enable HTTP Strict Transport Security (HSTS), a policy mechanism that secures websites against protocol downgrade attacks and cookie hijacking. Protocol downgrade attacks (SSL stripping) are where an attacker forces a connection to revert to HTTP from HTTPS. HSTS prevents this by not allowing the connection to downgrade, ensuring data remains encrypted and secure from eavesdropping and tampering.

For cookie hijacking, HSTS enforces secure connections, protecting users from attackers who might steal sensitive cookies sent over insecure links. Cookies often contain session data that can authenticate a user to a website, and securing these is crucial to preventing identity theft.

Web Application Firewall (WAF)

Upon receipt, data passes through a Web Application Firewall (WAF) that scrutinizes the integrity of incoming data and shields our systems from potential threats. WAFs have many important jobs, such as traffic filtering, data integrity checks, threat detection, and threat blocking, as well as SSL/TLS inspection, reporting, and logging. 

For example, advanced WAFs employ machine learning and signature-based detection methods to identify and block new and evolving threats. They are updated continuously to defend against threats like DDoS attacks, botnets, and other automated attacks. The layer of defense WAFs provide is crucial in maintaining the integrity and security of the data pipeline. 

Data Encryption and Management

Sensitive pieces of PII are encrypted with unique keys as soon as our APIs index them. We eschew the practice of using a single encryption key for all data, as this could allow a bad actor to decrypt everything upon breaching both key and data. Instead, each sensitive PII item is encrypted with a newly generated key, and the key is stored in a hardware security module (HSM). This approach enhances security and complies with the best data encryption and key management practices. The encrypted data is then written to our database. 

The important thing to note is that we never write clear or unencrypted plain text PII to disk; it is only in memory while in use. This means that data like social security numbers, driver’s license numbers, passport details, and bank information will never be stored in the clear and will always be encrypted and protected.  

Controlled Data Accessibility

Our risk and compliance team can access onboarding data under strictly controlled conditions for internal reviews or compliance checks. Access to sensitive PII is restricted to authorized personnel within the company who can view decrypted data one piece at a time. This method ensures that no comprehensive data snapshot can be taken, significantly reducing the risk of data leakage. All such accesses are meticulously logged to maintain a clear audit trail of data interactions.

Third-Party Data Handling

When PII is shared with third-party services for validation—disclosed within our terms of service—we ensure these third parties adhere to equal or more stringent data handling protocols than ours. This safeguards the PII throughout its lifecycle, extending our security perimeter beyond our immediate infrastructure.

Our layered security approach protects sensitive information from unauthorized access and data breaches and embeds data privacy into the operational fabric of our onboarding processes. By implementing these stringent, cutting-edge measures, we commit to maintaining the highest standards of data security, thus ensuring that our clients can trust us with their most sensitive information.