High security standards

We take security extremely seriously. Through rigorous security checks, safe data storage, employee screenings and compliance with every available regulation, we ensure the safety, stability and reliability of our payment platform. We always seek new technology, process, and risk assessment and independent testing to keep on improving.

Download presentation
hidden card
visible card
  • Data encryption

    We adhere to the PCI Data Security Standard for Service Providers.

  • Web application security

    We follow the industry-standard secure coding guidelines.

  • Physical & network security

    Data is hosted in dedicated facilities with 24x7 security.

Certifications & Compliance

We have a dedicated compliance team to review procedures and policies and to align them with standards, and to determine what controls, processes, and systems are needed for compliance.

We also do periodic internal audits and facilitate independent audits and assessments by third parties.

PCI DSS Level 1 compliance

Read more
  • Level 1 PCI compliant
    i
    Corefy meets the strictest requirements of the highest PCI DSS. It ensures that your payments are highly secure. The intensive onsite audit takes place annually to ensure the highest compliance levels are maintained and adhered to.
  • Industry recognition
    i
    We are on Visa’s Global Registry of Service Providers and Mastercard’s Compliant Service Providers Lists.
  • No need for you to be PCI compliant
    i
    Eliminate the hassle with PCI DSS compliance and let us deal with the banks on your behalf. We take care of the sensitive data and both you and your customers can enjoy fully protected and encrypted transactions.
  • No prohibited data storage
    i
    To comply with the strictest security standards, we do not store raw magnetic-stripe, card validation codes or PIN block data. Storage of this data is strictly prohibited by PCI DSS.

VISA Third Party Agent (TPA) and Mastercard Registration Program (MRP)

Read more

Google Pay

Read more

Apple Pay

Read more

PSD2 compliant software

Read more

Secure infrastructure

Corefy meets the highest standards of security, integrity and stability. We understand that you entrust your data to us, and we do everything possible to keep it secure and continuously look for opportunities to improve.

  • Our payment platform runs entirely on Amazon Web Services (AWS), a secure cloud services platform that offers computing power, database storage, and other functionality helping us scale and grow.
    amazon
  • Cloudflare helps us mitigate DDoS attacks of all forms and sizes and enhances the security of our platform.
    cloudflare
  • Our website is secured by the Comodo SSL certificate.
    comodo
  • Our users are prompted to authenticate with their password and verification code. The additional layer of security ensures that only authorised Corefy users can access their account.
    hz

Infrastructure reliability

Corefy's PCI-compliant payment platform runs entirely on AWS, relying on security best practices and auditability.

  • Hosting facilities
    i
    Corefy currently hosts its main systems in separate data centres in Europe and in the United States provided by Amazon Web Services. We administer and manage all our servers and do not outsource any administration to third parties for payment processing.
  • 99.95% uptime
    i
    Corefy’s systems have been designed for maximum uptime through a redundant and stateless service-oriented architecture that simultaneously accepts payments on multiple physical hosting locations.
  • Monitoring
    i
    Our Internet-facing systems are probed from points all over the world at least every five minutes to assess availability. Corefy’s entire infrastructure is monitored by a series of internal monitoring platforms that alert our engineers around the clock, 365 days a year, of predictive failures, warnings and hard errors. Our overall aim is to detect and resolve issues before they can impact our transaction processing ability.
  • DDoS protection
    i
    We use technologies from well-established and trustworthy service providers to prevent DDoS attacks on our servers. These technologies offer multiple DDoS mitigation capabilities to prevent disruptions caused by bad traffic, while allowing good traffic through. This keeps our websites, applications, and APIs highly available and performing.
  • Latency
    i
    Our data centres have strategic location to serve our core geographic regions and to ensure the minimum amount of latency, experienced by our customers and their merchants. Wherever we can, we peer as close as possible to strategic Internet Exchanges to further reduce latency and the number of hops to our processing network.
  • Processing speed
    i
    Corefy’s standard real-time reporting dashboard contains SLA reports. Processing speed is typically under one second, including risk checks, depending on the speed of the underlying acquirer and/or issuer involved. It has been designed to handle large volumes including comprehensive fraud screening.
  • Scalability
    i
    Scalability is the ability of the white label payment processing solution to increase productivity. Corefy supports 200 transactions per second or 535,680,000 transactions per month. We plan to increase the flow to 1,000 transactions per second or 2,678,400,000 transactions per month.

Security management

We review and observe employee, customer, and vendor activity to guard against suspicious or unauthorised activities.

  • Firewall
    i
    We filter all incoming and outgoing traffic through hardware firewalls.
  • Monitoring
    i
    We utilise both internal and external monitoring services for Corefy. The services alert both operational and security team members if there are any errors or abnormalities in application state.
  • Penetration testing
    i
    We perform rigorous automated vulnerability scans several times a week on both our Internet facing and internal infrastructure to assess our attack surface area. A team of on-staff experts and independent third parties perform intensive manual and automated penetration testing every six months.
  • Scanning
    i
    We perform ASV-certified security scans/audits, internal and external network scans, and other PCI compliance checks weekly. Also, we regularly run penetration-testing exercises and vulnerability-checks against our network.
  • Vulnerability management
    i
    All Internet-facing and internal infrastructure are aggressively patched in a tight time scale after patches for security vulnerabilities are made available by vendors.
  • Intrusion prevention system
    i
    For security enhancement, all inbound and outbound traffic from our platform is monitored by an active intrusion prevention system (IPS) which blocks the threat of common exploits and zero day attacks.

Ultimate data protection

Data protection and security are major concerns when considering information management solutions, especially when it comes to your company’s sensitive payment data. With us, you can enjoy peace of mind knowing that industry best practices are followed.

  • TLS 1.2 (SSL)
    i
    Using Transport Layer Security Protocol (TLS) version 1.2 Corefy ensures the safety of payment data during the transfer, guaranteeing a secure connection between the server and the client’s browser. The TLS protocol ensures that information is transmitted in encrypted form using the HTTPS protocol, which eliminates data interception and protects against redirection to fraudulent resources.
  • Data encryption
    i
    Cardholder data is secured by using a combination of symmetric and asymmetric cryptographic algorithms. All data is managed using multiple encryption keys with split knowledge and dual control. Data thieves would not be able to make use of information stolen from a database without also having the key.
  • Card tokenisation
    i
    We process credit card payments online without touching card data. Instead, we use tokens to process transactions, so any breach to your server will not harm cards.
  • No prohibited data storage
    i
    We don't store raw magnetic stripe, card validation code, or PIN block data.

Security is in our DNA

In an industry where trust is paramount, using sophisticated security practices gives businesses confidence that Corefy is keeping their data secure. Our team works with each of our clients to protect them, offering best practices to ensure private information stays private.

lock
  • cap

    Ongoing education

    Our Development and Engineering teams regularly train in several different areas including cryptography, OWASP Top 10 and others relevant to our platform.

  • community

    Community consciousness

    We share information security approaches locally and nationally to help shape the security community.

  • strategic approach

    Strategic approach

    Constant internal and external testing helps us identify and understand the tactics used by adversaries, and how to proactively stop them to keep data safe.

  • third party testing

    Third-party testing

    Solutions that are only secure in theory are not acceptable. We partner with third-party providers to test, attack and evaluate our security controls to confirm they work.

  • development

    Development

    Our developers work closely together with different departments. Crucially, we publish new releases of our core system every week, without any downtime or active involvement of our customers.

  • software and hardware

    Software and hardware

    Corefy is fully built on open-source software. This gives us maximum control over our software components while remaining independent of any third party. All development, system administration, networking, database administration and security activities are performed in-house by our experts.

  • proven practices

    Proven practices

    Corefy maintains a SOC 2 report, which is provided by an independent, third-party attestation and proves that we are taking the appropriate steps to protect our systems and your data.

  • strong access controls

    Strong access controls

    With data as precious as financial information, we make sure only the right people have the proper access. Utilising OAuth authentication and scoping, we transform sensitive information into a temporary and constantly changing key (or token) for robust protection.

Securing access

Corefy provides capabilities to help protect your organisation, but they are effective only if you use them. If you do not use them, you may be vulnerable.

  • two factor authetication
    Two-factor authentication. Minimise security risks and ensure peace of mind with enhanced security and protection through Corefy's PCI-compliant, two-factor authentication
    i
    Users are prompted to authenticate providing two pieces of information: their password and verification code. The additional layer of security ensures that only authorised Corefy users can access their account.
  • activity log
    Activity log. Protecting data, preserving privacy, and complying with regulations such as the GDPR should certainly be the highest priorities for any business
    i
    It's critical that you audit the entirety of data processing actions taking place to further analyse for possible security breaches.
  • role access management
    Role access management. Providing only the necessary level of access for a user to perform their role mitigates security risks and supports compliance with company policies
    i
    We understand that not every user in your organization needs full access to the Corefy app, so we support multiple distinct user permission groups with varying levels of access.
  • session management
    Session management. We store unique identifiers of user sessions as entries in the database
    i
    During the authentication process, we check the user's login and password and identify the user by IP, the device's operating system and browser.

Corefy provides capabilities to help protect your organisation, but they are effective only if you use them. If you do not use them, you may be vulnerable.

costumers
Customers
  • Allow access

    Accounts, Subscriptions, Invoices, Transactions, Plans

Permissions

  • Can edit
  • Read-only
reports
Reports
  • Allow access and editing

    Dashboard, Accounts and Subscribers, Plans, Recurring revenue, Subscriber retention, Transcations, Exports

configuration integrations
Configuration & Integrations
  • Allow access and editing

    Site settings, Plans, Invoice settings, Coupons, Currencies, Taxes, Email templates, Payment gateways, Checkout settings, Dunning management, MailChimp, Salesforce

Powerful toolkit for fraud prevention

  • card green
  • card purple
  • card blue
  • card yellow
  • card red

Card number

Result

Allowed

Result

Denied

Scanning

Scanned

Our ready-made anti-fraud solutions provide you with additional security layer and help you target specific fraud issues and risks more effectively.

  • Blocking rule engine
    i
    Automatically cut off suspicious or undesirable traffic using Blocking schemes with configurable dynamic rules.
  • Smart blacklisting
    i
    After several failed attempts to complete a transaction, a payer can be added to the blacklist automatically.
  • Smart 3DS routing
    i
    Enable or disable 3DS when needed, or apply it selectively for transactions filtered by relevant parameter.
  • Third-party risk scoring
    i
    Connect your trusted anti-fraud and risk scoring systems, like Kount, MaxMind or Ravelin, for an extra layer of protection.

Full 3D Secure support

3D Secure is an authentication protocol that provides an additional layer of verification for card-not-present transactions. The protocol is compliant with authentication regulations, including the Strong Customer Authentication (SCA) mandate from PSD2.

3DS v2
3DS v1
  • Support for both 3D Secure 1 & 2
    i
    Unlike the previous version where shoppers are redirected to another site, in 3D Secure 2 the card issuer performs the authentication within your app or payment form. The shopper's identity may be verified using passive, biometric, and two-factor authentication approaches.
  • Keep your transactions SCA-compliant
    i
    With built-in support for both 3D Secure 1 & 2 authentication protocols, Corefy can help ensure your transactions meet SCA requirements.
  • Shift chargeback liability
    i
    For eligible cards, 3DS2 can move liability for chargebacks due to fraud from the merchant to the card issuer.
  • Lift authorisation rates
    i
    Data shows that issuers may approve more transactions when using 3DS2.
  • Take advantage of exemptions
    i
    Corefy's solution supports exemptions available under SCA requirements, so your customers can experience the least possible amount of friction on applicable transactions.

Card vault & Tokenisation

Enjoy safe transactions and tokenised data without any additional fees. Accept payments with or without PCI compliance thanks to our tokenisation technology, which always keeps your customers’ data secure and enables you to focus on your business.

Our powerful API gives you a huge flexibility to create payment scenarios that best fit your business needs.

Streamline the payment process and provide your customers with superior user experience.

  • Charge one card multiple times, without asking a customer to re-enter the details
  • Make a free of charge authorisation to block funds on the customer’s card to have time for customer verification using our fraud score
  • Offer one-click payments to simplify the purchasing flow
  • Create charges, subscriptions, or plans with just a few lines of code
  • Card Fingerprint
    QSHATNYPL342BT7A
  • Charge ID
    CHAR-SPBUFHTSJC4538LO2DKNT9RY
  • Fraud Score
    Safe
  • Credit card data

    ---- ---- ---- ----
    Cardholder name
    MM
    YY
    CVV

    Customer enters card data

    A customer inputs their credit card details. It can be done by using a custom form, Checkout, or directly with API.

  • Token is created on our side

    A token is created in our API and card details are sent to our token server.

  • Token is sent back to you

    The token is sent to your backend. You can securely process the payments, even without PCI compliance — leave it to us.