PCI-DSS Compliant
- Ferve Tickets complies with PCI-DSS 3.2.1 as a Service Provider.
- We perform regular internal and external application and network penetration testing.
- Scanned quarterly by an Approved Scanning Vendor (ASV) (Qualys).
- Ferve Tickets has a security team responsible for PCI Compliance.
- All servers are protected with multi factor authentication (duo.com).
- Server environment is correctly segregated by business function and tightly configured for the minimum access required for business operations.
- All servers have a single/primary business function.
- High availability firewalls are configured for both N-S and E-W traffic restrictions.
- Intrusion detection (VMWare/Cloudflare) is used to block requests that are of suspicious nature or intent.
- SIEM (Event Sentry) is used to log all security events and alarms, monitor for intrusion and abnormalities.
- File Integrity Monitoring (Event Sentry) is used to watch for unauthorised changes on server applications.
- A Web Application Firewall (Cloudflare) is used in front of card processing applications to help prevent common attack vectors such as XSS and OWASP vulnerabilities.
- Card processing servers are not directly connected to from the internet.
- Sensitive parts of card data are transmitted through our network (with encryption) but not are stored within our network.
Privacy
- Ferve Tickets maintains a privacy program which complies with the Australian Privacy Principles and/or GDPR as appropriate.
- We do not transfer the personal information of customers to third parties, other than the organiser of your events and to payment processors, unless otherwise required to by law.
- See https://ferve.tickets/privacy for more information
Physical Server Environment
Equinix hosts Ferve Tickets’s development and production systems in Sydney, AU (Equinix SY 2/3/4)
- PCI-DSS Level 1 Service Provider
- ISO 27001 certified
- Independently verified and audited
- SAS-70 Type II and SSAE16
Web/Mobile Application Development
- We are committed to designing, building, and maintaining secure systems which includes websites and mobile applications.
- All applications are regularly scanned for common security vulnerabilities, including the OWASP Top Ten.
- Regular training on Secure Coding Practices is provided.
- No full credit card information is permitted to be stored on any mobile device, nor in any part of our network.
- Use of encryption for both storage and transmission of sensitive information is regularly audited.
- Web and mobile applications are developed and maintained by our experienced engineering team.
- We encourage clients to also follow high security practices in their own websites and in dealing with us.
Encryption
- Ferve Tickets uses strong encryption to protect all private information while in transit.
- All private information including credit cards is encrypted with minimum TLS1.2 with AES128 or AES256 ciphers while in transit through our production systems (depending on the standards supported by your browser).
- Low grade and weak ciphers are disabled.
- Our website and APIs are accessible via a 2048-bit SSL certificate issued by a number of different certification companies including Lets Encrypt, Digicert, and others.
- We regularly check and aim for A grade security or higher on SSL, verifiable with SSL labs.
About Us
- All employees are subject to reference, education, and other checks before employment.
- Some technical employees are also subject to additional background checks, including checks with Victoria Police.
- Ferve Tickets has an information security training program that meets PCI-DSS standards.
- Knowledgeable security personnel are on staff, and specialist outsourced security experts are consulted when required for independent verification (PCI Consulting Australia Pty Ltd).
- We require written acceptance by employees of their roles and responsibilities in maintaining PCI-DSS and privacy of data.
Incident Response
- No system is ever guaranteed perfectly secure 🙁
- We have a detailed Incident Response plan in place that we use to respond to incidents if they occur.
- Periodic testing of the response plan is done to ensure all staff are familiar with processes, and experienced at rapid response if needed.
- Business insurance is held which covers additional security consultants (if required) in an incident.
- Ferve Tickets has 24×7 monitoring of its systems.
Security Disclosures
- If you discover a vulnerability with Ferve Tickets’s applications or systems, we urge you to report it to us.
- We are likely to be able to resolve the issue quickly, usually within a few days.
- Please allow us that small amount of time to address your discovered issue before publishing your findings.
- Contact us on security(at)ferve.tickets