With all the stories about payment processing breaches and stolen credit card data in the news lately, we wanted to take a moment to talk about how Fresh Roasted Hosting helps keep your payment information safe.
We start by keeping our billing & support system on its own secure server in a separate datacenter in upstate New York. This special datacenter features 24-hour security, biometric access control, and digital video surveillance. Because it’s separated from the rest of our hosting infrastructure, this keeps our billing data safe in the unlikely event of a successful attack against the rest of our hosting infrastructure. It also means that in the unlikely event that some or all of our hosting infrastructure goes down, you’ll still be able to get in touch with us.
Next, we use a combination of threat mitigation systems including behavior analysis and a firewall to help stop most attacks. We constantly monitor the server for everything from brute force attacks to portscans to attempted exploits, and our firewall modifies itself to adapt to each threat. The number of attacks hitting any Internet-connected server on a daily basis is staggering, so it’s important to watch for suspicious behavior on all fronts.
Then there’s our software itself. Outdated software can cause major security nightmares, so we keep our entire server platform — from the OS to the billing system itself — up to date. Lots of web hosts use the same billing software, but more than a few hosts regularly run outdated versions. Not us.
Finally — and most importantly — there’s the payment data itself. When you make a payment to us, you may have noticed that the payment screen looks different than the rest of our website. That’s because our payment processor captures your payment information directly. Whether you’re using your PayPal account or paying by credit card, you’re actually securely connecting directly to PayPal’s (or our card processor’s) website. As a result, we never capture, see, store, or even transmit your payment information; your credit card data or PayPal password are never stored on our server.
When you make a credit card payment, our card processor gives us a secure token to represent you. This is a string of random letters, numbers, and symbols, like this:
WV+N{7k3_}GdR{!>p7"66nc/D</Nsbq}{"/rkr+n}kWhen we want to charge your credit card, we open up a secure connection to our payment processor, send your token, provide some additional authentication information, and tell them how much we’d like to charge you. They then send back a coded response indicating whether or not the payment was successful. The beauty of this is that even if our conversation with them was somehow intercepted and decrypted, there would only be a useless jumble of characters — and no credit card number.
The end result? Every merchant — including us — must always assume the worst and prepare accordingly. We use multiple layers of protection, so that if one gets breached, there are many more behind it. And we’ve taken the added step of removing the final treasure, so that even if attackers do manage to penetrate our billing system, there are no credit card numbers or PayPal passwords to be had.
Most service providers don’t like to talk about their security or what countermeasures they have to ward off attacks. And to be fair, we’ve left a lot of details out of this post (no point giving attackers a detailed roadmap of our security systems). But at the end of the day, you have a given right to expect every merchant to protect your financial details as they would their own, and that’s exactly what we do.