Payveris places the highest importance on safeguarding and protecting the privacy of clients and their account holders. We fully understand the need to safeguard sensitive information and we maintain the highest standards and procedures designed to prevent misuse of information and ensure personal privacy.
The Payveris business model only collects the most minimal private data possible to provide high quality and highly secure services. We DO NOT collect any extraneous personal information from clients. We only collect the information essential to provide a highly secure and outstanding experience. We DO NOT provide non-public or personal information to any other company or entity for any purpose, other than those required for the processing of the payment or providing other services agreed to, and we send only the minimal information needed to perform the necessary task at hand. Furthermore, Payveris ensures that all information is transmitted using the highest levels of security.
The personal information that is maintained allows us to properly validate identity, ensure all legal compliance, and provide secure high quality financial services.
To ensure that personal information remains confidential, Payveris utilizes advanced and proven security technology combined with extremely comprehensive procedural safeguards. We have an ongoing commitment to clients, to constantly invest in future security advances as they become available, and to incorporate these new capabilities into our products and services.
Users must have no expectations of personal privacy when using information systems at Payveris. To manage systems and enforce security, Payveris may log, review, and otherwise utilize any information stored on or passing through its systems by users.
Payveris does not collect information that is unnecessary for business purposes. For example, passwords for consumers of our bill pay service are not collected or known to Payveris as a result of our SAML based Single Sign On capability with the financial institution customer. Payveris does not collect information from third parties such as financial institutions unless these parties are notified about the collection activities before they occur.
A wide variety of third parties have entrusted their information to Payveris for business purposes, and all workers at Payveris must do their best to safeguard the privacy and security of this information. Customer and consumer data is classified as Restricted Confidential and access must be strictly limited based on business need for such access. Customer and consumer information must not be distributed to third parties without advance authorization by the customer and the consumer where law dictates.
Application Security Administration
The application owner establishes and assigns the security administration role and duties for all systems, applications, and information that are targeted for deployment in the production environment.
Confidentiality and Integrity
Applications must store passwords in a protected and encrypted state (not in clear text). Application data must be protected in accordance with the Standard and Guidelines for Access Control. The application owner, in conjunction with the application developer must determine the specific database privileges needed for the applications users and process users.
Disaster Recovery requirements, as defined in the Payveris Disaster Recovery Plan must be maintained for all production applications. Section XIII of this document
IT resources or services.
Application activities must be logged in accordance with the IT Security Logging Standards and Guidelines. Records (or logs) provide a way to identify IT security breaches or abuse, to determine where security weaknesses exist, and to facilitate investigation if abuse is suspected.
The Data Retention period for Payveris is currently defined to 7 years for all data, including cardholder data. Since the company has been in existence less than 7 years, all data has been retained so far. No purging of data is required at this time.
Once the retention period is met, Payveris will perform a quarterly review and follow a process to securely purge data from the system when no longer needed and store the data eternally in a secure manner.
Data is retained in the database and monthly backups are retained permanently.
Files transmitted out of Payveris and into Payveris are kept on an encrypted file system locally and then backed up to S3 and AWS Glacier for archiving.
Logs from servers in AWS Cloudwatch are retained indefinitely. OSSEC generated emails are retained indefinitely.