Security at ePayments Network

ePayments Network is a payment technology platform and ISO that connects merchants to a network of certified payment gateway and processing partners. Our security model is built around one core principle: raw cardholder data (card numbers, CVV/CVC, track data) never transits or resides on EPN's servers. All payment card data is collected, processed, and tokenized exclusively within our gateway partners' PCI DSS certified environments.

EPN's own security program covers what EPN does handle directly:

- Merchant account credentials and business identity documents
- API keys, webhook secrets, and integration credentials
- Transaction metadata — approval codes, masked card references (last 4 digits), amounts, timestamps
- Payout and settlement data
- The EPN Merchant Dashboard and platform infrastructure

EPN's platform security program is maintained to satisfy:

- FTC Safeguards Rule (16 C.F.R. Part 314) — Written information security program as a financial institution under the GLBA
- NIST Cybersecurity Framework (CSF) — Controls mapped to Identify, Protect, Detect, Respond, and Recover
- SOC 2 Type II (Infrastructure) — EPN's infrastructure runs on AWS SOC 2 Type II certified U.S. data centers
- NACHA Security Framework — For ACH and bank transfer orchestration
- OWASP Top 10 — Application security controls across EPN's platform and APIs

For gateway partner compliance documentation, contact security@epayments.network.

ePayments Network does not collect, store, process, or transmit raw cardholder data on its own servers. All payment card data handling is performed exclusively within the PCI DSS certified environments of EPN's gateway and processing partners.

How the Data Flow Works — The card data path through EPN is deliberately designed so card data stays off EPN's infrastructure:

1. Your customer enters card details into a payment form hosted or secured by EPN's gateway partner
2. Card data is encrypted by the gateway and transmitted directly to their PCI DSS compliant servers — EPN's systems are not in this path
3. The gateway returns a transaction result, payment token, and masked card reference (e.g., last 4 digits) to EPN
4. EPN stores only the token, masked reference, approval code, and transaction metadata — never the raw PAN, full expiry, or CVV

Gateway Partner PCI Compliance — Each of EPN's gateway and processing partners maintains its own PCI DSS service provider certification, independently assessed by Qualified Security Assessors (QSAs). These partners are responsible for encrypting card data at point of entry, tokenizing PANs, and storing card credentials in their own PCI-compliant vaults.

What This Means for Your PCI Scope — Because card data flows directly to gateway-hosted environments without touching EPN's servers, merchants using EPN's recommended hosted checkout integration typically qualify for SAQ A — the simplest PCI self-assessment, requiring no on-site audit. This significantly reduces your compliance overhead.

Gateway Compliance Documentation — For a PCI Attestation of Compliance (AoC) from an EPN gateway partner, contact security@epayments.network and we will facilitate the request.

What EPN Encrypts — EPN encrypts all data it owns and handles directly: merchant account information, business identity documents, payout banking details, API key hashes, and the transaction metadata returned by gateway partners.

Data in Transit — All connections to EPN's platform, Merchant Dashboard, and APIs use TLS 1.2+. TLS 1.0 and 1.1 are disabled across all EPN endpoints. EPN enforces HSTS (HTTP Strict Transport Security) on all web properties.

Data at Rest — Merchant account data and transaction metadata in EPN's databases are encrypted using AES-256. Sensitive fields such as payout bank account numbers receive an additional layer of application-level encryption.

What Gateway Partners Handle — Raw cardholder data encryption, PAN tokenization, HSM key management, and point-to-point encryption (P2PE) operations are performed entirely within EPN's gateway partners' PCI DSS certified environments. EPN never receives, stores, or processes raw card numbers, CVV/CVC codes, or full magnetic stripe track data.

Payment Tokens — When a card is used through EPN, the gateway returns a secure, non-sensitive payment token representing that card. EPN stores this token to enable future charges, recurring billing, and refunds on your behalf. The token is meaningless outside the issuing gateway's environment — making it safe to store and useless to anyone who might compromise EPN's systems.

Certificate Management — TLS certificates for all EPN web properties and APIs are issued by trusted Certificate Authorities, monitored for expiration, and rotated before expiry. EPN participates in Certificate Transparency (CT) logging.

Cloud Infrastructure — EPN's production environment runs on Amazon Web Services (AWS) in U.S.-based regions. AWS holds SOC 1 Type II, SOC 2 Type II, SOC 3, PCI DSS Level 1, and FedRAMP certifications for the data center facilities EPN uses.

Network Segmentation — EPN's production systems are isolated from non-production and administrative networks using firewalls, VPC segmentation, and network access control lists (NACLs). No direct connectivity exists between internet-facing systems and internal data stores without traversing EPN's security controls.

Web Application Firewall (WAF) — All public-facing EPN web properties and APIs are protected by Cloudflare's enterprise WAF, which filters malicious traffic, SQL injection attempts, XSS attacks, and DDoS traffic before it reaches EPN's application layer.

DDoS Mitigation — EPN uses Cloudflare's DDoS protection (layers 3, 4, and 7) with automatic traffic scrubbing. EPN has maintained 99.99%+ uptime for payment processing APIs.

Intrusion Detection & Prevention — EPN deploys host-based intrusion detection systems (HIDS) and network-based intrusion detection systems (NIDS) across all production systems. Alerts are monitored 24/7 by EPN's security operations function.

Log Management & SIEM — Security-relevant events from all production systems are aggregated into a Security Information and Event Management (SIEM) system and retained for a minimum of twelve (12) months, with the most recent ninety (90) days immediately available for analysis, to support security monitoring and incident investigation.

Secure Development Lifecycle (SDLC) — EPN follows a security-first software development lifecycle. All code changes undergo peer review, automated static analysis (SAST), and dependency vulnerability scanning before deployment. Security requirements are incorporated at the design phase for all new features.

OWASP Top 10 — EPN's application security program is aligned with the OWASP Top 10, addressing injection attacks, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting (XSS), insecure deserialization, using components with known vulnerabilities, and insufficient logging.

API Security — EPN's APIs require TLS, use token-based authentication (OAuth 2.0 / API keys with HMAC-SHA256 signatures), enforce rate limiting to prevent abuse, and validate all input against strict schemas. API keys can be scoped to specific permissions and revoked at any time from the Merchant Dashboard.

Dependency Management — EPN uses automated tooling (Dependabot, Snyk) to scan all software dependencies for known Common Vulnerabilities and Exposures (CVEs) and patches critical vulnerabilities within 24 hours of identification.

Penetration Testing — EPN engages an independent third-party security firm to conduct application and network penetration tests annually, Critical and high findings are remediated within 30 days. Summary results are available to Merchants upon request under NDA.

Principle of Least Privilege — All EPN employees and systems are granted the minimum level of access necessary to perform their role. Access rights are reviewed quarterly and revoked immediately upon role change or termination.

Multi-Factor Authentication (MFA) — MFA is enforced for all EPN employee access to production systems, cloud consoles, source code repositories, and business applications. MFA is also enforced for all merchant dashboard logins and is required for high-risk operations (e.g., payout account changes, API key generation).

Role-Based Access Control (RBAC) — Merchant dashboard users can be granted granular permissions (view-only, refund authority, full admin) to limit access to the minimum required for each team member's role.

Privileged Access Management (PAM) — All privileged access to EPN's production infrastructure is routed through a centralized PAM solution with session recording, just-in-time access provisioning, and full audit logging.

Background Checks — All EPN employees and contractors with access to sensitive systems and merchant data undergo background screening prior to employment.

Third-Party Access — Vendor and partner access to EPN systems is granted on a need-to-know basis, time-limited, and subject to the same MFA and RBAC controls as EPN employees.

Real-Time Risk Scoring — Every transaction processed through EPN is evaluated in real time by EPN's fraud engine using hundreds of signals including device fingerprint, IP geolocation, velocity checks, card BIN data, behavioral patterns, and machine learning models trained on historical fraud data.

3D Secure (3DS2) — EPN supports 3D Secure 2.x authentication, shifting chargeback liability to the card issuer for authenticated transactions and reducing fraud on card-not-present payments.

Card Verification — EPN performs AVS (Address Verification Service) and CVV/CVC verification on all card-not-present transactions. Failed CVV responses are blocked by default.

Velocity Controls — Merchants can configure per-card, per-IP, and per-account velocity limits in the Merchant Dashboard to automatically block suspicious transaction patterns.

Chargeback Monitoring — EPN monitors merchant chargeback ratios against Visa and Mastercard program thresholds and alerts merchants approaching elevated risk levels. Early intervention reduces the risk of card network fines and account termination.

FinCEN SAR Filing — As a financial institution under the BSA, EPN is required to file Suspicious Activity Reports (SARs) with FinCEN for transactions that exhibit indicators of money laundering, fraud, or other illicit financial activity.

EPN maintains a formal, documented Incident Response Plan (IRP) aligned with NIST SP 800-61 (Computer Security Incident Handling Guide).

Response Phases

- Preparation — Incident response team staffed 24/7, runbooks maintained for all critical incident types, quarterly tabletop exercises.
- Detection & Analysis — Automated alerting via SIEM, with triage by EPN's security team within one (1) hour of alert generation during business hours and four (4) hours outside business hours.
- Containment — Affected systems are isolated immediately upon confirmed incident to prevent lateral movement. Payment processing continuity is maintained through redundant infrastructure.
- Eradication & Recovery — Root cause is identified, malicious artifacts removed, and affected systems rebuilt from clean images before returning to production.
- Post-Incident Review — A written post-incident report (PIR) is completed within ten (10) business days of resolution, including root cause analysis and prevention measures.

Merchant Notification — In the event of a security incident affecting Merchant data within EPN's systems, EPN will notify affected Merchants within seventy-two (72) hours of confirmation, consistent with EPN's DPA and applicable U.S. state breach notification laws.

EPN operates a responsible disclosure program for security researchers who identify potential vulnerabilities in EPN's systems.

Scope — In-scope targets include EPN's public-facing web properties (epayments.network, dashboard.epayments.network), public APIs, and payment iFrame integrations.

Out of Scope — Social engineering attacks, physical attacks on EPN facilities, denial-of-service testing, and automated scanning without prior authorization are out of scope and may result in legal action.

Reporting — Submit vulnerability reports to security@epayments.network with subject "Vulnerability Report". Include a detailed description, steps to reproduce, potential impact, and any proof-of-concept (non-destructive only).

Our Commitments — EPN will: acknowledge receipt within two (2) business days; provide an initial assessment within ten (10) business days; work with you to understand and validate the issue; remediate confirmed vulnerabilities in a timeframe proportional to severity; and not pursue legal action against researchers acting in good faith under this policy.

Rewards — EPN does not currently operate a paid bug bounty program, but recognizes security researchers who identify and responsibly disclose valid, high-severity vulnerabilities.

EPN Platform Compliance — EPN's own platform security program meets the requirements of:

- FTC Safeguards Rule (16 C.F.R. Part 314) — Written information security program under GLBA
- NIST Cybersecurity Framework (CSF) — Controls mapped to Identify, Protect, Detect, Respond, Recover
- NIST SP 800-53 — Security and privacy control reference for system hardening
- NIST SP 800-88 — Media sanitization for secure data destruction
- NIST SP 800-61 — Computer security incident handling procedures
- NACHA Operating Rules & Security Framework — For ACH origination and bank transfer orchestration
- FinCEN AML Program Requirements (31 C.F.R. § 1010.210) — Anti-money laundering compliance
- SOC 2 Type II (Infrastructure) — AWS SOC 2 Type II certified U.S. data center facilities
- CIS Controls v8 — Center for Internet Security configuration benchmarks
- OWASP Top 10 — Application security controls and developer security training

Gateway Partner Certifications — EPN's payment gateway and processing partners each maintain their own PCI DSS Level 1 service provider certifications, independently assessed by QSAs. These certifications cover all cardholder data handling within those environments. To request a gateway partner's PCI AoC or compliance documentation, contact security@epayments.network with subject "Gateway Compliance Docs."

While EPN secures the payment processing environment, merchants using EPN's Services share responsibility for the overall security posture of their payment integration:

Integration Type & PCI Scope — EPN connects your checkout to PCI DSS certified gateway partners. Cardholder data entered by your customers is captured directly within the gateway partner's hosted form or secure fields — it never transits EPN's servers. Your own PCI DSS scope is typically reduced to SAQ A (no on-site audit required), because the gateway partner's certification covers card data handling. Confirm your specific scope with your acquiring bank or a Qualified Security Assessor (QSA).

API Key Security — Treat your EPN API keys as passwords. Store them in environment variables or a secrets manager — never in source code, client-side JavaScript, or version control. Rotate keys immediately if you suspect compromise.

Webhook Verification — Verify all incoming EPN webhook payloads using the HMAC-SHA256 signature included in the "X-EPN-Signature" header. Do not process webhooks without signature validation.

Account Access Controls — Assign Merchant Dashboard users the minimum permissions they need. Use strong, unique passwords and enable MFA for all dashboard users, especially administrators.

Dependency & Platform Security — Keep your website, e-commerce platform, and server-side software up to date. Unpatched software on your web server can expose payment flows even when EPN's systems are secure.

Incident Reporting — If you suspect your EPN account, API keys, or any connected systems have been compromised, contact security@epayments.network immediately. Do not attempt to investigate a breach alone — early notification enables faster containment.

Security Incidents & Emergencies: security@epayments.network
Vulnerability Disclosures: security@epayments.network (subject: "Vulnerability Report")
PCI AoC / Compliance Documentation Requests: security@epayments.network (subject: "Compliance Docs Request")
General Security Questions: security@epayments.network

For non-security matters, please contact support@epayments.network or use the Help Center in your Merchant Dashboard.

EPN's security team monitors security@epayments.network continuously. For urgent incidents involving suspected active data compromise, please mark your email subject "URGENT — Active Incident" and include your merchant account ID.