Edit on GitHub

Security at Scanpay

We have built our system from the ground up, with a security by design approach, making security considerations the core of our engineering process. You can therefore rest assured that we have implemented multiple layers of security to protect your data.

If you have any questions or concerns, please do not hesitate to contact us.

Data protection

We are fully compliant with the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS).[1] Sensitive data is encrypted with AES-256-GCM and stored in multiple data centers within the European Union. The encryption key is protected with Shamir's Secret Sharing and only a few trusted employees have a share of the key. This ensures that no single employee can access your data on their own.

We process and store sensitive data in the following locations:

CompanyDescription
Amazon Web Services
Elastic Compute Cloud (EC2)
Germany & Ireland
We receive, process and store all our data in two AWS EC2 regions within the European Union. Sensitive data is encrypted with AES-256-GCM.
Amazon Web Services
Simple Storage Service (S3)
European Union
We continuously make backups. Backups are encrypted and stored for 365 days in Amazon S3 within the European Union.
Google Cloud
Google Compute Engine (GCE)
Germany
GCE is our fallback hosting provider. We do not use this environment unless necessary due to technical issues at AWS or DoS attacks.

We share some transaction data with your acquiring bank and the 3-D Secure network. This is limited to the following trusted partners:

CompanyDescriptionData
Nets A/SAn acquiring bank with a pan-European license.Transaction data.[2]
Clearhaus A/SAn acquiring bank with a pan-European license.Transaction data and the IP address of the cardholder.[3]
MobilePay A/SA mobile payment application developed by Danske Bank A/S.Amount, currecy, merchant name, orderID, language, phone number.
3dsecure.ioA 3-D Secure Server (3DSS) by Clearhaus A/S. All transactions are shared with this server.Transaction data and the IP address of the cardholder.[4]

Software security

When we started Scanpay, we decided to build our payment platform from scratch, in the programming language C. From the very beginning, the emphasis has been on developing a secure, stable and efficient platform, with a small and auditable code base. To this end, we developed a key-value database system, that is immune to many attack vectors, including SQL injections.

Most security breaches occur because of vulnerabilities in third-party software. For this reason, we use very little third-party software. Here is a list of third-party software that we use and trust:

SoftwareDescriptionRiskImpact
Gentoo LinuxSource-based Linux distributionVery lowHigh
NGINXWeb server and reverse proxyLowMedium
NAXSINGINX Web Application Firewall (WAF)LowVery low
OpenSSLTLS and crypto libraryMediumMedium
WireGuardFast and secure kernelspace VPN [5]MediumVery low

We continuously monitor and scan our systems for vulnerabilities and, in accordance with PCI DSS, we regularly perform ASV scans and pentesting.

Transmission security

2020 Q1 SSL report from ssllabs.com

For security reasons, we only support HTTPS with TLSv1.2 and TLSv1.3 on port 443. We only support Elliptic Curve Cryptography (ECC) with the following cipher suites:

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-CBC-SHA256
  • ECDHE-ECDSA-AES256-CBC-SHA384
  • ECDHE-ECDSA-AES128-CBC-SHA

We support HSTS preload, DNS CAA and other security features. You can view a SSL/TLS report here.

Request authentication

Before you can use our platform, you must have an API key, which is a unique key used to authenticate API requests. API keys contain a shopid and a randomly generated code, i.e. shopid:code. You can generate an API key in our dashboard after you have created a shop.

API requests are authenticated with HTTP Basic Authentication with your API key: "Authorization: Basic " + base64_encode(apikey)


Footnotes