As a comprehensive, global Payments-as-a-Service platform, CCBill maintains a backend system which securely stores the sensitive credit card buying data of our merchant's customers. By doing so, we are able to provide more features to the merchants and consumers that trust CCBill as an online payment processing solution.
These features include:
- Subscription Rebills: we allow consumers to purchase a subscription for an initial amount and a recurring amount for a provided timeframe (up to 99 times). The amounts and timeframes can be easily configured by the merchant. By securely storing the credit card, every time a rebill is initiated (e.g. every month), the card is fetched and a transaction is automatically processed.
- Card Blacklisting: we keep tabs on cards which have been blacklisted and prevent them from being used again. This can be used to tackle fraud in conjunction with other similar systems such as Vscrub and country blacklisting.
- Reporting: buyers can search for subscriptions they bought by using their credit card information as a search input parameter, in addition to other parameters such as email, and subscription ID.
- CCBill Pay: is a safer, quicker, and easier way of buying online subscriptions. Consumers can store all their payment cards and preferred, local payment methods in single place, and make future payments with a simple login and pay, from any device at anytime, from anywhere.
To achieve the highest level of security, sensitive information is stored securely in our Secure Storage system. Data is stored up to PCI DSS (Payment Card Industry Data Security Standard) standards, of which an audit is carried out on a yearly basis. This ensures that storage of sensitive information is up to very high standards, agreed from policies provided by major credit card companies such as Visa and MasterCard. These policies include not storing CVV values and not logging credit card numbers.
CCBill’s Secure Storage system is implementation agnostic and easily extendable. This means we’re not tied to a specific implementation of how sensitive information is actually being stored. Alternative options can be explored and data can be easily migrated from one system to another. In addition, we can opt to store in more than one secure system.
Currently, we’re integrating with StrongAuth (https://www.strongauth.com/) as our main secure storage. StrongAuth is a third party company focusing specifically on data storage and security. They provide what’s known as a SAKA (StrongAuth Key Appliance) box, a rack-mountable server as a complete hardware and software solution. These SAKA boxes are designed to work with a minimum of two appliances, so that in case of failure in one box, a request can failover to another box. Integration with StrongAuth is very simple as they provide a secure webservice and a WSDL file which specifices the contract used to send requests and read responses. From our end, what’s needed is to generate client code based on the WSDL and we have access to encrypt credit cards (i.e. storing them on StrongAuth and receiving back a token id linking to it), decrypt tokens (i.e. getting the card number associated with a token), and searching for credit cards (i.e. get the token linked with a card or return that it’s not stored in the StrongAuth).
StrongAuth are PCI-compliant, and ensure that the solution provided abides to the policies outlined by PCI DSS, such as rotating data-encryption keys used to store information at least once a year. We have three SAKA boxes installed at the following sites: US west coast (Phoenix, Arizona), east coast (Ashburn, Virginia), and the Netherlands Europe. Having StrongAuth’s system deployed in multiple sites allows us to ensure continuity and data redundancy in case one of the sites is problematic.
Furthermore, the plan is to deploy the Secure Storage system (which is the one that integrates with StrongAuth), on the three separate sites where the SAKA boxes are also deployed. This has a two-fold benefit: first is performance, as incoming requests to store or retrieve credit cards will be redirected to the nearest StrongAuth site which will be handled faster; second is redundancy, in case one of the sites goes down Secure Storage processing will be redirected to the nearest site which is active.
In conclusion, by storing credit cards, a number of features can be provided to both merchants and their customers using CCBill. This facilitates securely processing transactions, maintaining our strong support services, as well as maintaining the highest level of security and data compliance. As a company, everything is done to ensure strong security when it comes to both processing and storing sensitive information, including leveraging third party solutions such as StrongAuth that can help us bolster our security requirements.