PatronManager’s PCI Compliance and Payment Handling
- Supports Bluefin (U.S. & Canada) and Stripe (other geographies) for payment processing.
- Compliant with PCI-DSS 3.2.1.
- PCI Attestation of Compliance (AOC) is available upon request.
- Architected to be out of PCI-DSS scope (PatronManager never transmits, stores, nor processes PCI data (credit card numbers)).
- eCommerce (online) transactions are tokenized or encrypted in the cardholder’s web browser and raw card numbers never reach PatronManager.
- Card-present or MOTO (mail order, telephone order) transactions are accepted via an SRED payment terminal that encrypts the cardholder data before it leaves the terminal.
- Use of Bluefin’s PCI-validated P2PE solution places the lowest burden of compliance on the merchant.
Privacy
- We have full time staff focused on privacy and security.
- We participate in and comply with the EU-U.S. Privacy Shield Framework. You can find out more about our commitment to the EU-U.S. Privacy Shield Framework in our EU-US Privacy Shield Notice.
- PatronManager processes user personal data in accordance to GDPR’s data protection principles and has appointed a Data Protection Officer to oversee our GDPR compliance.
- You can find our privacy policy at: https://patronmanager.com/privacy/.
Data Governance
- All data belongs to you.
- Data can be exported from PatronManager using documented Salesforce methods:
- Organization Export
- REST API
- Bulk API
Hosting Environment
- PatronManager is built entirely upon the Salesforce Platform. Salesforce carries many certifications.
- Salesforce operates a distributed and redundant platform with a 24/7 NOC.
Software Development
- All software engineers receive software security training that covers security best practices including covering OWASP Top Ten as well as Mobile Security best practices.
- PatronManager uses static code analysis tools to analyze code for security vulnerabilities.
- All source code is developed in accordance with a standard SDLC process that includes
- Security code review before being shipped to production.
- Running through a continuous integration test suite.
- Manual QA testing.
Encryption
- All web traffic is encrypted by TLS 1.2 or greater.
- PatronManager follows NIST recommendations for hashing, symmetric and asymmetric encryption.
Organization
- All staff regularly receives security training by trained professionals and must pass security quizzes testing their security awareness.
- All staff regularly receive simulated phishing tests.
- All staff must sign off on security and acceptable use policies and procedures.
Responsible Disclosure
- If you discover a vulnerability, PatronManager requests that you responsibly disclose the vulnerability to our security team by taking the following steps.
- Do not attempt to exploit the vulnerability
- Email our Security Incident Response Team at security@patrontechnology.com
- If the contents of the vulnerability are sensitive in nature, please use our PGP key, below
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 mQENBF1j//MBCACxqIOVGeab36yHCMqfRndP7H8o1XuQenT0O1yIZf6+27Z9Qn0x wPB4y477I8BrIapHf4lB6nObFs3IrCvEfBwF4/QXgR5EG6ZesvqnYNYvnqWOmywy o0BSpE03h1CTDvbqstINmjsqRLFcLs8pC78xw7Ao/mvxg3bmNk44V0lDU4Q0GjSI +F252OFcos/JkikGPL4TZorRa+OKyJDZnBRE2WyFpBtrQ4g5BG029rlX6WjuSCKs v6TPgS2o8yoksQD2tbLYEEQ3wIwTfhE+GI28qgrK/c+SNY2qskhfJ85WGc7l87+d Ilfgj6jGnEg5P1UUM6l+epFklih3QYxeAB/LABEBAAG0RlBhdHJvbiBUZWNobm9s b2d5IEluZm9ybWF0aW9uIFNlY3VyaXR5IDxzZWN1cml0eUBwYXRyb250ZWNobm9s b2d5LmNvbT6JATgEEwECACIFAl1j//MCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4B AheAAAoJEKO1jLZ11HH46IgH+wVppvN8tpPjUKkTGUtAmoHUt4dysWEylafzEMCD oJwGDkDNnthsEIx6zfekFXyWD9Ievv/3+EIbonsw8lw0EzGkN3lXqvDdTCEogfp/ LhkTA2xEWNI7Vic8CdXM1P9xE+T1NpWVSx+FbvP1ygA6i67oEYN+IzWwmwG/AgRU IU89W1p9vdJLQl8HVkl6E0Zo1QKZlglU3Hd9W1IBiF68z3ounc786DV+QwhnUT4z HylB+sgiOD1SLPQV+WLtCms3gTNecJi3/IO8BBaylXmkvqbqdPTrkoq3+iSLyq3c bsVszrS/xxnR2c7cbIlUB25tazmNOJYaB2jeK0CG0g3tBNm5AQ0EXWP/8wEIALxV iyBnQLfXhP/ZK/vsQUXkd5gB0nmdn79w8LYes7uW5MZWmoD6wqumNZxzzR5TG0pg D4WdegjqXLs/XJTGj0EHjAr1peQhtoHbcRcZTC/oan9wjGCTCuB2bS/8GLlcSRHC 6MO3Q9vWmVf8yQUfNBP59P/gv+vbvyu68Ud8gsz7PkisnxF06IvX3JfFR42tctbe BViPWl/FwLqu4fHr/pjdR8XkE7Xozhor+coR77uEIGnwxLGj0f6conI7yrVDqf/i +ToucemElNYgWz0zrY1oh4liM8DI82WyXsAc098Bw3EXPadtOeZFm00XjqD5+G6q j1oPz98yeUdHNXai06EAEQEAAYkBHwQYAQIACQUCXWP/8wIbDAAKCRCjtYy2ddRx +MzDB/9J5u7eBU+GEU7YxQKioZHaszQeQfhWBSHAKlY1N2WlB+YX4YVcHC+8NWvf H8aYM3sIEdpFBwQyHS4KieQ4oqGNxd89lEor+q3l0WH7CUF86BfaTsOs6mIL/lDE bDTbzhNgiB3X46SlVRe8opFY4H2LZJdirtkZTHGMhTxECFTrwT5XTI0ylINMe1cf C1FGeAw1SGoRSIHX4CXSIBmkn8QeW+ls1L3neCysWo207/4RW1hlgngvqVmcCum/ t92SKmAFWoMJ0T5KtkKmnjwIeIkVlbLms9vaqyHFN1YQW7S86BJO+Jwc3vbGSGWm tCg3+aUBuGgaNb5gJOdSkAZQCn/u =EcV3 -----END PGP PUBLIC KEY BLOCK-----