Pushpay Security Information for IT

As an information technology specialist, you’re already well versed in the threats posed by cybercriminals and inefficient security systems. As such, it’s understandable for you to be a little hesitant about partnering with a company that requires the exchange of highly sensitive personal and financial information.

Maybe you’ve been asked by a pastor or church administrator to check out Pushpay as a potential partner for online giving or church management software, or maybe you simply want to know the congregation’s data is protected and secure. Either way, we’re thankful for churches who take security as seriously as we do.

The purpose of this article is to give you a quick overview of Pushpay security protocols to hopefully convince you that information security and safety is of utmost importance to us. With Pushpay, you can rest assured that we’re protecting your congregation’s personal information with robust security measures designed with confidentiality, reliability, and integrity in mind.

Pushpay Security: How We Protect Your Information

Employee Training

On a personnel level, every one of our employees – from the CEO to members of our sales team – must complete a security awareness training course when they’re hired and every year after that. Also, throughout the year, our IT/Security Team provides additional training via company-wide sessions, team-specific seminars, and email updates.

A Dedicated Team

Pushpay employs a dedicated team of privacy and information security professionals. Our Information Security and Engineering teams work closely together to exchange ideas and best practices to ensure our applications and infrastructure remain secure.

Security Reviews & Quality Assurance Testing

Security reviews are performed on changes and new features from design through deployment. Changes to our code base, the infrastructure, and our processes are reviewed for security risks before being implemented. No changes are released to production until they meet our security requirements. Code is peer-reviewed prior to being submitted for testing. Once code is submitted for testing, it undergoes extensive quality assurance testing to reduce and eliminate defects prior to release.

PCI-DSS Compliant Level 1 Service Provider

From an information security perspective, Pushpay itself is a fully PCI-DSS Compliant Level 1 Service Provider, in addition to working with PCI-certified partners. This means Pushpay meets the highest level of security standards for the payment card industry. The PCI-DSS is a security standard created by credit card companies (like Visa, Mastercard, etc.) based on their experiences fighting off numerous security threats while securing their customer’s data. As a PCI-compliant service provider, Pushpay’s software development standards, infrastructure, and organization are audited annually by a certified external party.

Third-Party Penetration Testing

In addition to our PCI audit, we hire an independent third-party firm to perform manual penetration testing of our applications as part of Pushpay’s commitment to ensuring the data we store remains secure on the Internet. Manual penetration testing is a more in-depth process than automated testing and vulnerability scanning. It involves hiring an external firm utilizing security experts to perform testing on our application, infrastructure and networks.

Certified Infrastructure Host

Pushpay hosts our infrastructure with Amazon Web Services (AWS). AWS maintains multiple certifications for its data centers, including PCI-DSS Level 1, ISO 27001, and SOC2 (view the AWS Cloud Security page for more information on their security controls and certifications).

Disaster Recovery Procedures

To further ensure availability of Pushpay applications, customer data, code, and all components necessary to bring Pushpay’s services online are streamed between AWS regions continuously. We have well-documented disaster recovery procedures that are tested regularly.

Monitoring Systems

Pushpay uses a variety of monitoring systems to provide a comprehensive view of our security infrastructure and network. If there’s an alert triggered, our Site Reliability Engineering team is available to respond at any day or hour of the week.

Fraud Detection System

In addition to all of these security measures, we’ve implemented an advanced fraud detection system that uses machine-learning algorithms designed to alert our fraud investigative team of any suspicious activity occurring within any of our platforms.

You Can’t Put a Value On Great Security

As we mentioned in the introduction, cybercrimes pose real risks in our digital world. However, you can mitigate a lot of that risk by partnering with companies that prioritize information security and data protection.

Sometimes going with the cheapest or most affordable online giving partner means sacrificing the security of your congregation. Partnering with an organization that skimps out on information security may cost you a lot more than you’re saving in the long run.

At Pushpay, you can rest easy knowing that you’ve partnered with a company that meets the highest online security standards and is proactively seeking out opportunities to improve our security infrastructures.

We’ve also written a slightly less technical version of this article you can share with your pastor or other members of your church leadership team.