Under the Payment Card Industry Data Security Standard (PCI-DSS), v3.2.1, NitroSell is required to provide a statement to its customers regarding its compliance, and its adherence to the principles and rules of the standard regarding customer data.
- NitroSell is a PCI-DSS Level 1 Service Provider under PCI-DSS v3.2.1, and is listed in the Visa Global Registry of Service Providers [1]
- We will, to the best of our ability, maintain that level of compliance, and to comply with any future updates to the standard within the timeframe mandated by the PCI-DSS Security Standards Council
- Portal users are required to change their passwords every 90 days; in the event that you have not logged in for more than 90 days, you will be prompted and required to change your password on next login attempt; in the even that you believe your Portal password has been compromised, you should immediately request a password reset using the ‘Forgot Password’ link at https://portal.nitrosell.com/
- Trustwave is contracted as the company’s Qualified Security Assessor (QSA) and conducts an annual on-site audit to verify compliance with the latest version of the standard
- Weekly external and internal vulnerability scans are conducted by Trustwave and AlertLogic, both of which are Approved Scanning Vendors (ASVs); the results of these scans are available on request
- Should any new vulnerabilities arise as a result of these scans, NitroSell will, to the best of its ability, attempt to address and resolve them within 1 week of them being reported
- To meet PCI-DSS requirements, annual internal and external penetration tests are performed by NitroSell’s cybersecurity team, the results of which are available on request
- NitroSell’s server/hosting environment is fully set up to correctly meet all technical requirements of PCI-DSS, including hardware firewalls, web application software firewalls, intrusion detection systems, network segmentation, one-hosting-function-per-server, comprehensive logging and access controls, etc.
- Our servers, firewalls, intrusion detection systems, etc., constitute our Cardholder Data Environment (CDE)
- Access to the NitroSell CDE is strictly controlled, based on the “principle of least privilege”, wherein users have access only to the information and resources that are necessary for their jobs
- Our software is written to the highest standard of secure coding guidelines, with a particular focus on mitigating the OWASP top 10 vulnerabilities
- NitroSell commits to keeping all customer data safe and private, and to never storing sensitive cardholder data on any permanent storage medium
- Cardholder data is handled by NitroSell’s servers only to process payments on your webstore, or to bill you for our services (via tokenised payments), and this data is immediately discarded as soon as each transaction has been processed
- In general, NitroSell commits to meeting all PCI-DSS requirements on your behalf when it comes to your eCommerce channel – our PCI-DSS coverage starts and ends with your webstore; you still have overall responsibility for your business’s compliance and for the compliance of your in-store activities, network, transactions, etc.
- NitroSell’s QSA-signed Attestation of Compliance (AoC) is available on request
Should you have any questions, please contact NitroSell support.