Sertifi-ed Security: An overview of Sertifi's security features

security icons

PCI-compliant system

Sertifi is compliant with the 12 PCI requirements. Some of the PCI benefits you get with Sertifi out-of-the-box include:

  • Not using vendor supplied defaults for system passwords.
  • Implementing password policies.
  • Blocking user accounts from accessing the system if they've failed log in three times in a row, and keeping them locked out for 30 minutes.
  • Protecting cardholder data by using a trusted PCI-compliant 3rd party service provider to tokenize payment information.
  • Restricting access to cardholder data to only authorized users via access control mechanisms like security groups.
  • Using payment gateways to process payments and authorizations without storing sensitive authentication data.
  • Maintaining detailed activity logs for all files and user/admin actions.
  • Masking payment card numbers so only the last 4 digits display unless users are authorized to see the full card number.
  • Using strong encryption and secure protocols to transmit data securely over the Internet, and store in encrypted databases such as TLS v1.2, AES-256, and 2048-bit RSA.
  • Using and creating well-defined user roles and privileges.
  • Automatically timing out sessions after a period of inactivity.
  • Requiring multi-factor authentication (password and one-time password) to view and unmask full card information.

Plus, Sertifi follows additional guidelines, like how we develop our products internally, and maintaining PCI compliant policies around our development.

 

Sertifi-secured platform

In addition to the PCI compliance you get with using Sertifi, you can also work with your Customer Success Manager to enable even more settings to enhance the security of your portal. Only your Customer Success Manager can enable these settings for you, and those settings get applied account-wide. These additional security settings include:

  • Automatically deactivating admin+ users. If an admin+ user doesn't log in to any portal within 90 days of receiving their invitation, the admin+ is automatically deactivated from any portal.
  • Controlling how many Super Admins can access a portal. You can choose how many Super Admins have access to an individual portal. By default, this setting is 3 Super Admins, but you can increase or decrease the amount based on your preferences.
  • Limiting the domains your admins can use to make an account. You can choose what email domains admin+ roles can use when creating their Sertifi account. For instance, if you didn't want admin+ roles to create their accounts with a GMail address, you can block this domain.
  • Implementing data retention limits. You can choose how long you want to retain data like signed forms and other contracts. These records are then automatically deleted once they're no longer needed for legal, regulatory, or business needs.

 

Flexible user security

The Super Admins for your portal can create user-specific security settings to ensure the most sensitive information is viewed by the right people. The enhanced user security features include the following:

  • No one can view payment information by default. Even if you're a Sertifi Super Admin, you can't automatically view any payment information. You must add yourself to the appropriate security group.
  • Only Super Admins can create security groups, and assign other roles to those groups. Super Admins can adjust these settings, add the appropriate roles, and then adjust the settings for those groups. Security groups override the default security settings in the portal.
  • You can't add admin+ users to multiple security groups. For instance, if you have Sertifi eAuthorizations and payments enabled, you might need three security groups to add different admins to. One for viewing card information, one for cloning payments, and one for refunding payments.
  • You can set limits on how much you can charge your clients, and how much your Power Admin+ roles can refund your clients.