Data Security
Front End
- Passwords must be 8+ characters long, alphanumeric with multiple cases and a symbol; these are encrypted in the database; MyRec.com staff and tools cannot decrypt them
- The passage of page data is encrypted using SSL certificates (SHA-256 with RSA encryption)
- When pages use queries, these are protected against javascript injection using character checks, parameterization, and stored procedures
- Functions are used on data from query strings, form fields, and cookies to prevent access and exploitation
Back End
- Servers are not directly accessible outside of network; IP addresses are shared only on the server level – traffic is directed using host headers
- Servers are hosted by Dimension Data, who has their own security policies available here; data center audits include SOC1, ISO27001, ISO27018, and CSASTAR
- Database and server is isolated from outside world and access is limited to development and IT staff via secure VPN; high level access is limited it lead IT and database administrator
- No credit card information is stored in MyRec.com servers, but instead stored on selected gateway who will have their own security and PCI compliance measures
- The portion of the MyRec.com system that passes credit card information to the gateway is isolated from other servers, has limited staff access, and has its own PCI compliance certification
- To date, we have not encountered a breach, but the protocol for such would be to identify the breach, check logs for access point and affected data, lock down avenue of access, roll back affected pages and data
- The MyRec.com server system is contained within multiple SOC 1, PCI DSS, and ISO certified cloud data centers, using the latest security infrastructure
- Server maintenance is run daily, including backups, logs, data cleanup, etc.; server updates and patches are performed monthly as needed
- Full system backups are performed daily with additional backups performed every 15 minutes; the latest backup data is stored in a geographically separate location and system from the main server data center with a different vendor; all data is stored within the continental United States
- In the case of a system failure, backup data could be used to restore the system within hours at most