SoftSlate PCI Compliance Overview
SoftSlate is committed to maintaining the highest level of security and compliance to protect your business and your customers' sensitive data. This overview summarizes the key elements of our Payment Card Industry Data Security Standard (PCI DSS) policy, which governs our infrastructure and processes. Our comprehensive approach is designed to minimize risk and assure our current and prospective clients of our dedication to a secure service environment.
SoftSlate and Cardholder Data
A core element of SoftSlate's security architecture is the minimal exposure to Cardholder Data (CHD) and Sensitive Authentication Data (SAD).
- E-commerce Redirection Model: SoftSlate operates as an "E-commerce (web) Redirection Server." This means our system is specifically designed so that SoftSlate does not store or transmit cardholder data.
- Direct Third-Party Submission: All cardholder data is submitted directly from the end-user to your trusted, third-party payment gateways (e.g., Authorize.net, PayPal).
- Mandatory Encryption: Our application environment is configured to enforce the use of secure communication protocols. Our load balancer redirects all unencrypted traffic (port 80) to HTTPS (port 443), and we utilize Content-Security-Policy (CSP) headers to ensure that payment forms only include iframes or JavaScript from trusted third-party payment processors via HTTPS.
Key Security Controls and Protection Mechanisms
Even though cardholder data is not directly processed, SoftSlate has implemented numerous controls across its network and systems to safeguard the platform and maintain a secure environment.
| Network Security | Network security controls (NSCs) are implemented, configured, and reviewed regularly to restrict access to only necessary traffic. We employ a Web Application Firewall for continuous detection and prevention of web-based attacks, and for protection against Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks. |
| Malicious Software Protection | We utilize automated, automated malware scans on our web servers and public artifacts. Web servers are automatically replaced regularly. Anti-malware mechanisms are actively maintained and cannot be disabled or altered by users. |
| Access Control | We adhere to the Principle of Least Privilege, ensuring all user and system accounts have only the minimum access required for their job function. Multi-Factor Authentication (MFA) is mandatory for all interactive access to the system, and access privileges are reviewed regularly. |
| Secure Development & Change Management | All changes to system components and software are managed through a secure Change Control process, including documenting the security impact and testing prior to deployment. Code reviews are mandatory for all code, and security analysis systems are used to detect vulnerabilities in both custom code and third-party libraries. |
| Policy Governance | All controls and security-related activities, including malware scan results and access control reviews, are regularly reviewed and documented for continuous compliance verification. |