Pushpay has robust security programs to meet the requirements for reliability, confidentiality, and integrity to safeguard the trust you’ve built and keep your members’ data safe.
Aaron Senneff, Chief Technology Officer
INVESTED IN SECURITY
Dedicated Security & Privacy Staff | ✔ |
PCI DSS Level 1 Certified Service Provider | ✔ |
Regular Manual penetration testing | ✔ |
Secure Software Development Lifecycle | ✔ |
Infrastructure Security | ✔ |
Disaster Recovery Plan regularly tested | ✔ |
Fraud detection | ✔ |
THIRD PARTY ASSESSMENTS
PCI compliance and what it means:
Pushpay itself is a fully PCI-DSS Compliant Level 1 Service Provider, in addition to working with PCI-certified partners. This is the highest certification available, which means that Pushpay complies with the PCI Data Security Standard (PCI DSS). The PCI DSS is a security standard created by the credit card brands (Visa, Mastercard, etc.) based on their experiences fighting off numerous security threats while securing their customer’s data. As a PCI compliant service provider, Pushpay’s software development standards, infrastructure, and organization are audited annually by a certified external party.
Manual Penetration Testing:
We hire an independent third party firm to perform manual penetration testing of our application as part of Pushpay’s commitment to ensuring our application and the data it stores remains secure on the internet. Manual penetration testing is a more in-depth process than automated testing and vulnerability scanning. It involves hiring an external firm utilizing security experts to perform testing on our application, infrastructure and networks.
APPLICATION SECURITY
Secure Coding
Pushpay employs a dedicated team of privacy and information security professionals. Our Information Security and Engineering teams work closely together to exchange ideas and best practices to ensure our applications and infrastructure remain secure. Security reviews are performed on changes and new features from design through deployment. Changes to our code base, the infrastructure, and our processes are reviewed for security risks before being implemented. No changes are released to production until they meet our security requirements. Code is peer-reviewed prior to being submitted for testing. Once code is submitted for testing, it undergoes extensive quality assurance testing to reduce and eliminate defects prior to release to production.
Infrastructure Security
Pushpay hosts our infrastructure with Amazon Web Services (AWS). AWS maintains multiple certifications for its data centers, including PCI-DSS Level 1, ISO 27001, and SOC2 (view AWS Cloud Security page for more information on their security controls and certifications).
Pushpay uses a variety of monitoring mechanisms to provide a comprehensive view of the security and availability of the Pushpay application and infrastructure. If there’s an alert triggered, our Site Reliability Engineering team is available 24x7x365 to respond.
To further ensure availability of the Pushpay application, customer data, code, and all components necessary to bring Pushpay’s services online are streamed between AWS regions continuously. We have well-documented disaster recovery procedures that are tested regularly.
FRAUD DETECTION THROUGH MACHINE LEARNING
Utilizing machine learning algorithms, Pushpay is able to detect suspicious payments and alert our fraud investigation team to investigate and intervene.
CORPORATE SECURITY
Security Awareness Training:
All employees – even our CEO – are required to pass our security awareness training program upon hire and annually thereafter. Additional training is provided throughout the year via company-wide sessions, team-specific sessions, email updates, and more.
Vendor Risk Management:
Pushpay performs security reviews on our key technology providers as part of our due diligence process.
Business Continuity Plan:
Pushpay maintains a business continuity plan to ensure the continued operation of Pushpay services to its customers, end-users, employees and other stakeholders. The business continuity plan is tested at least annually.
Security questions?
If you have any questions about security, please get in touch with our team.
Read more in our Privacy Policy and Terms of Service.