Security at Qualpay

Your data and your customer's data is important to us.

Besides adhering to all industry guidelines and standards, we make security our priority. If we cannot do something securely, we will not do it.

Taking care of your data and your customer's data is important to us. We apply all of the latest vendor security patches as soon as they become available and routinely audit our systems for vulnerabilities. If you have any questions about security at Qualpay, please contact pci@qualpay.com.

COMPLIANCE - OUR RESPONSIBILITY

Level 1 PCI DSS Compliant Service Provider

Qualpay is a PCI DSS Level 1 certified service provider. We complete an assessment by an approved QSA (Qualified Security Assessor) each year, and upon completing the assessment we become listed in the PCI Council's list of approved vendors. Please contact us at pci@qualpay.com for details about our most recent security audit.

Card Brand Compliance

Qualpay adheres to the guidelines set forth by the card brands and is listed as a compliant service provider by both Visa and Mastercard's security programs.

COMPLIANCE - YOUR RESPONSIBILITY

We require that all merchants processing with Qualpay validate compliance with PCI-DSS. To make this process as easy as possible we have partnered with Security Metrics to provide online SAQ's and scanning services for you.

Qualpay Products

We have designed products that will help you remove sensitive payment information from your payment environments. Qualpay Checkout and Embedded Fields remove the collection of payment data at the time of checkout and Qualpay Customer Vault eliminates the need to store payment data on a merchant server.

Security keys for Qualpay's API products have been designed so that they can be limited to a specific Qualpay API. This means that you can generate an API security key that will only work with the Qualpay Customer Vault to use with your CRM system. This key can not be used with any other Qualpay API's, so if it is compromised at the CRM system, the hacker will not have access to your Payment Gateway API key for transaction processing.

We require that all merchants processing with Qualpay validate compliance with PCI-DSS. To make this process as easy as possible we have partnered with Security Metrics to provide online SAQ's and scanning services for you.

We recommend that each user use Multi-Factor Authentication (MFA) for access to Qualpay's online portals. MFA requires a second piece of information in addition to the user password at login to verify the user's identity.

Encryption

All card data is encrypted at rest with AES-128. Each individual encrypted item is encrypted with a unique derived encryption key, and the master key from which these are derived are rotated annually. Card data is decrypted systematically prior to transmission to our processing partner.

Qualpay forces HTTPS for all services using TLS 1.2, including our public website, Qualpay Manager, and Qualpay Payment Gateway. Qualpay uses HSTS (HTTP Strict Transport Security) to ensure browsers interact with Qualpay only over HTTPS. All of Qualpay's APIs require TLS1.2.