END-TO-END ENCRYPTED SOLUTIONS

Learn about platform security at CHC

 

❁ CHC has designed a solution that puts security as the top priority

Cybersecurity+Graphic.png

CHC does not handle financial data directly

Therefore, we avoid the need for most SOC2 and HEVCAT compliance requirements. We rely on Stripe, a Level 1 PCI compliant gateway for these assurances. 

CHC leverages a bank grade firewall for PII data, which was proposed and vetted by Mastercard’s Global Tech and Security team.

Summary of Data Security and Compliance Protocols: 

  • No sensitive financial data ever hits CHC servers and credentials can therefore never be stored or accessed

  • All PII data is secured with SSL Encryption and will never be exchanged, licensed or sold to third parties.

  • All transactions are anonymized to ensure privacy

  • All Data is Encrypted at rest and in Transit

  • For ACH functions, multi-factor authentication and personal identifiers ensure unwanted access is prevented

  • No principal, employee or contractor can gain access to sensitive financial data because it is all tokenized via Stripe

  • The system was incubated within the banking sector via Barclays Bank and their penetration/security auditing agency.

  • PII Data stored in MongoDB, hosted on Amazon Web Services

  • All platforms use RESTful Node.js services

About Stripe 

Stripe has been audited by an independent PCI Qualified Security Assessor (QSA) and is certified as a PCI Level 1 Service Provider. This is the most stringent level of certification available in the payments industry.

 
stripe-payment-logo.png

HTTPS and HSTS for secure connections

  • Stripe forces HTTPS for all services using TLS (SSL), including our public website and the Dashboard.

  • Stripe.js is served only over TLS

  • Stripe’s official libraries connect to Stripe’s servers over TLS and verify TLS certificates on each connection

  • We regularly audit the details of our implementation, including the certificates we serve, the certificate authorities we use, and the ciphers we support. We use HSTS to ensure that browsers interact with Stripe only over HTTPS. Stripe is also on the HSTS preloaded lists for both Google Chrome and Mozilla Firefox.

Encryption of sensitive data and communication

All card numbers are encrypted at rest with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons can obtain plaintext card numbers but can request that cards are sent to a service provider on a static allow list. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in a separate hosting environment, and doesn’t share any credentials with Stripe’s primary services (API, website, etc.).

Additional Security for PII Data

Aside from publicly available data like first name, last name and amount given, all of the data filters available through the API are set up to receive specific input types. Without valid ObjectIds, errors are thrown before connecting to the database. The system also never contacts anything from client properties. Mongoose is used as an ODM for additional layers of security, and even if all of this were to fail, the system checks if the user that sent the request has permission to view that data before sending it back to the client. This is checked before retrieving the data and we add filters to the query depending on the users right to access. After that, the system remove any data that the user isn’t allowed to read from the response before sending it back to the client. In other words, sensitive data cannot be sent to the client.

Reach out with Questions

Connect with CHC experts on security and compliance.