Security and reliability
Prohibited data storage
To comply with the strictest security standards, Staqq does not store raw magnetic-stripe (Track 2), card validation codes or PIN block data. Storage of this data is strictly prohibited by PCI DSS.
Data At Rest Encryption
Cardholder data is secured by using a combination of symmetric and asymmetric cryptographic algorithms that utilise larger than required key lengths in a scheme that has been assessed by our QSA.
Our data centres are strategically located to serve our core geographic regions to ensure the minimum amount of latency is experienced by our customers and their merchants. Wherever we can, we peer as close as possible to strategic Internet Exchanges such as LINX, NYIIX and AMS-IX to further reduce latency and the number of hops to our processing network.
Our core infrastructure has been engineered with high levels of redundancy and resilience built in. Staqq’s critical infrastructure has dual PSUs fed from two diverse UPS platforms. All data is stored on RAID based SAN systems. This data is in turn is replicated to our nearest geographical datacenter for further resilience. All servers are connected to our internal networks via at least two network interfaces and our internal networking is provided by dual independent network switches.
We have six geographically diverse data centres, four in North America and another two in Europe. This allows continuous service and unrivalled survivability in the event of a localized or international event. Our infrastructure is carefully designed to avoid single points of failure. All of our service providers are also diverse both in location, networking paths and core routing equipment. We only use service providers that maintain at least two physical fiber entry points into our data centres, and equally, diverse and multiple paths into their own core networks.
Our internet facing systems are probed from points all over the world at least every five minutes to assess availability. Staqq’s entire infrastructure is monitored by a series of internal monitoring platforms that alert our engineers around the clock, 365 days a year, of predictive failures, warnings and hard errors. Our overall aim is to detect and resolve issues before they can impact our transaction processing ability.
We perform rigorous automated vulnerability scans several times a week on both our internet facing and internal infrastructure to assess our attack surface area. A team of on staff experts and independent third parties are also commissioned by Staqq every six months, to perform intensive manual and automated penetration testing.
The Staqq network has been built to observe the most stringent standards of security and best practices, with minimal access to outside networks and the Internet. Internally we use a series of highly segmented networks so only specific servers can communicate with each other. Access between network segments is highly restricted by robust firewall rules which define legitimate business need. To further enhance security all inbound and outbound traffic from our platforms is monitored by an active Intrusion Prevention System (IPS) which blocks the threat of common exploits and zero day attacks.
All internet facing and internal infrastructure is aggressively patched in a tight time scale after patches for security vulnerabilities are made available by vendors.
Distributed Denial of Service (DDoS) mitigation
We employ the services of a third party DDoS mitigator which is able to scrub malicious Internet traffic when needed.
The European General Data Protection Regulations came into force in May 2018. Staqq’s existing set of controls for keeping cardholder data secure has been extended to maintaining the integrity and confidentiality of all personally identifiable data held by the organization. In line with industry best practice we regularly check that in-scope data is current, and that the controls to protect it are working effectively.