Security at Scanpay
We have built our system from the ground up, with a security by design approach, making security considerations the core of our engineering process. You can therefore rest assured that we have implemented multiple layers of security to protect your data.
If you have any questions or concerns, please do not hesitate to contact us.
We are fully compliant with the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS). Sensitive data is encrypted with AES-256-GCM and stored in multiple data centers within the European Union. The encryption key is protected with Shamir's Secret Sharing and only a few trusted employees have a share of the key. This ensures that no single employee can access your data on their own.
We process and store sensitive data in the following locations:
|Amazon Web Services|
Elastic Compute Cloud (EC2)
Germany & Ireland
|We receive, process and store all our data in two AWS EC2 regions within the European Union. Sensitive data is encrypted with AES-256-GCM.|
|Amazon Web Services|
Simple Storage Service (S3)
|We continuously make backups. Backups are encrypted and stored for 365 days in Amazon S3 within the European Union.|
Google Compute Engine (GCE)
|GCE is our fallback hosting provider. We do not use this environment unless necessary due to technical issues at AWS or DoS attacks.|
We share some transaction data with your acquiring bank and the 3-D Secure network. This is limited to the following trusted partners:
|Nets A/S||An acquiring bank with a pan-European license.||Transaction data.|
|Clearhaus A/S||An acquiring bank with a pan-European license.||Transaction data and the IP address of the cardholder.|
|MobilePay A/S||A mobile payment application developed by Danske Bank A/S.||Amount, currecy, merchant name, orderID, language, phone number.|
|3dsecure.io||A 3-D Secure Server (3DSS) by Clearhaus A/S. All transactions are shared with this server.||Transaction data and the IP address of the cardholder.|
When we started Scanpay, we decided to build our payment platform from scratch, in the programming language C. From the very beginning, the emphasis has been on developing a secure, stable and efficient platform, with a small and auditable code base. To this end, we developed a key-value database system, that is immune to many attack vectors, including SQL injections.
Most security breaches occur because of vulnerabilities in third-party software. For this reason, we use very little third-party software. Here is a list of third-party software that we use and trust:
|Gentoo Linux||Source-based Linux distribution||Very low||High|
|NGINX||Web server and reverse proxy||Low||Medium|
|NAXSI||NGINX Web Application Firewall (WAF)||Low||Very low|
|OpenSSL||TLS and crypto library||Medium||Medium|
|WireGuard||Fast and secure kernelspace VPN ||Medium||Very low|
We continuously monitor and scan our systems for vulnerabilities and, in accordance with PCI DSS, we regularly perform ASV scans and pentesting.
For security reasons, we only support HTTPS with
TLSv1.3 on port 443. We only support Elliptic Curve Cryptography (ECC) with the following cipher suites:
We support HSTS preload, DNS CAA and other security features. You can view a SSL/TLS report here.
Before you can use our platform, you must have an API key, which is a unique key used to authenticate API requests. API keys contain a shopid and a randomly generated code, i.e.
shopid:code. You can generate an API key in our dashboard after you have created a shop.
API requests are authenticated with HTTP Basic Authentication with your API key:
"Authorization: Basic " + base64_encode(apikey)
-  PCI DSS is a security standard for businesses that store, process or transmit credit cards. Since 2017, we have completed two level 1 certifications and two SAQ D certifications. You can view our current AOC here.
-  This includes cardholder data, amount, currency and text-on-statement.
-  https://docs.gateway.clearhaus.com/#authorizations
-  https://docs.3dsecure.io/#get-enrollment-status
-  We use WireGuard for internal communication between Scanpay servers.