Security at Scanpay
We have built our system from the ground up, with a security by design approach, making security considerations the core of our engineering process. You can therefore rest assured that we have implemented multiple layers of security to protect your data.
If you have any questions or concerns, please do not hesitate to contact us.
We are fully compliant with the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS). Sensitive data is encrypted with AES-256-GCM and stored in multiple data centers within the European Union. The encryption key is protected with Shamir's Secret Sharing and shares are split between a few trusted employees. This ensures that no single employee can access your data on their own.
We process and store sensitive data in the following locations:
|Amazon Web Services|
Elastic Compute Cloud (EC2)
Germany & Ireland
|We receive, process and store all our data in two AWS EC2 regions within the European Union. Sensitive data is encrypted with AES-256-GCM.|
|Amazon Web Services|
Simple Storage Service (S3)
|We continuously make backups. Backups are encrypted and stored for 365 days in Amazon S3 within the European Union.|
Google Compute Engine (GCE)
|GCE is our fallback hosting provider. We only use this environment in case of technical issues or DoS attacks. We do not store data in this environment.|
Transaction data is shared with one or more of the following third parties:
|Nets A/S||An acquiring bank with a pan-European license.||Transaction data.|
|Clearhaus A/S||An acquiring bank with a pan-European license.||Transaction data and the IP address of the cardholder.|
|MobilePay A/S||A mobile payment application developed by Danske Bank A/S.||Amount, currecy, merchant name, orderID, language, phone number.|
|3dsecure.io||A 3-D Secure Server (3DSS) by Clearhaus A/S.||Transaction data and the IP address of the cardholder.|
When we started Scanpay, we decided to build our platform from scratch, in the programming language C. From the very beginning, the emphasis has been on developing a secure, stable and efficient platform, with a small and auditable code base. We also insist on using very little third-party software. Here is a list of third-party software that we use and trust:
|Gentoo Linux||Source-based Linux distribution||Very low||High|
|NGINX||Web server and reverse proxy||Low||Medium|
|NAXSI||NGINX Web Application Firewall (WAF)||Low||Very low|
|OpenSSL||TLS and crypto library||Medium||Medium|
|WireGuard||Fast and secure kernelspace VPN.||Medium||Very low|
For security reasons, we only support HTTPS with
TLSv1.3 on port 443. We only support Elliptic Curve Cryptography (ECC) with the following cipher suites:
We support HSTS preload, DNS CAA and other security features. You can view a SSL/TLS report here.
Before you can use our platform, you must have an API key, which is a unique key used to authenticate API requests. API keys contain a shopid and a randomly generated code, i.e.
shopid:code. You can generate an API key in our dashboard after you have created a shop.
API requests are authenticated with HTTP Basic Authentication with your API key:
"Authorization: Basic " + base64_encode(apikey)
-  PCI DSS is a security standard for businesses that store, process or transmit credit cards. Since 2017, we have completed two level 1 certifications and two SAQ D certifications. You can view our current AOC here.
-  Shamir's Secret Sharing is used to secure a secret, e.g. an encryption key, in a distributed way. The secret is split into multiple parts, called shares. Two or more shares are needed to reconstruct the original secret.
-  Here transaction data refers to cardholder data, amount, currency and text-on-statement.
-  https://docs.gateway.clearhaus.com/#authorizations
-  https://docs.3dsecure.io/#get-enrollment-status
-  We use WireGuard for internal communication between Scanpay servers.