We use cookies to enhance your user experience. By clicking any link on our site you’re giving your consent for us to set cookies.

More info
Back
Get started

High security standards

We take security extremely seriously. Through rigorous security checks, safe data storage, employee screenings and compliance with every available regulation, we ensure the safety, stability and reliability of our payment platform. We always seek new technology, process, and risk assessment and independent testing to keep on improving.

Download presentation
hidden card
visible card

  • Data encryption

    We adhere to the PCI Data Security Standard for Service Providers.

  • Web application security

    We follow the industry-standard secure coding guidelines.

  • Physical & network security

    Data is hosted in dedicated facilities with 24x7 security.

Certifications & Compliance

We have a dedicated compliance team to review procedures and policies and to align them with standards, and to determine what controls, processes, and systems are needed for compliance.

We also do periodic internal audits and facilitate independent audits and assessments by third parties.

PCI DSS Level 1 compliance

Payment Card Industry Data Security Standard (PCI DSS) is one of the security standards created by major payment systems. Compliance with this standard makes online transactions secure and protects them against identity theft. It increases control of cardholder data and reduces credit card fraud.

Read more
  • Level 1 PCI compliant
    i
    Corefy meets the strictest requirements of the highest PCI DSS. It ensures that your payments are highly secure. The intensive onsite audit takes place annually to ensure the highest compliance levels are maintained and adhered to.
  • Industry recognition
    i
    We are on Visa’s Global Registry of Service Providers and Mastercard’s Compliant Service Providers Lists.
  • No need for you to be PCI compliant
    i
    Eliminate the hassle with PCI DSS compliance and let us deal with the banks on your behalf. We take care of the sensitive data and both you and your customers can enjoy fully protected and encrypted transactions.
  • No prohibited data storage
    i
    To comply with the strictest security standards, we do not store raw magnetic-stripe, card validation codes or PIN block data. Storage of this data is strictly prohibited by PCI DSS.

VISA Third Party Agent (TPA) and Mastercard Registration Program (MRP)

Our VISA Third Party Agent (TPA) and Mastercard Registration Program (MRP) registrations are an added layer of security for our clients. All service providers who have access to cardholder data must comply with the data security requirements prior to beginning services and must be registered in the VISA Agent Registration Program for inclusion on the Visa Global Registry of Service Providers. Mastercard requires all service providers to be PCI-compliant and registered as Member Service Providers (MSP).

Read more

Google Pay

Corefy is officially featured in the Google Pay list of participating processors. It allows our clients to easily implement this in-demand payment method and securely process Google Pay transactions through Corefy. Sign a contract with us, agree with Google's terms and policies, inform your Corefy Account Manager, and you're all set.

Read more

Apple Pay

We’ve implemented the Apple Pay token decrypt service, which allows our clients to decrypt Apple Pay tokens and transfer the card data to the providers instead of transferring tokens. Thus, clients can use their own Apple Merchant ID and payment processing certificates to decrypt the tokens independently of the payment provider.

Read more

PSD2 compliant software

PSD2 is the second iteration of the Payment Services Directive implemented by the European Union and it affects both individual consumers and businesses. PSD2 enables bank customers to use third-party providers to manage their finances. The regulation has implications for all companies in Europe that deal with payments, ranging from how to regulate the emergence of third party providers to the need for strong customer authentication (SCA).

Read more

Secure infrastructure

Corefy meets the highest standards of security, integrity and stability. We understand that you entrust your data to us, and we do everything possible to keep it secure and continuously look for opportunities to improve.

  • Our payment platform runs entirely on Amazon Web Services (AWS), a secure cloud services platform that offers computing power, database storage, and other functionality helping us scale and grow.
    amazon
  • Cloudflare helps us mitigate DDoS attacks of all forms and sizes and enhances the security of our platform.
    cloudflare
  • Our website is secured by the Comodo SSL certificate.
    comodo
  • Our users are prompted to authenticate with their password and verification code. The additional layer of security ensures that only authorised Corefy users can access their account.
    hz

Infrastructure reliability

Corefy's PCI-compliant payment platform runs entirely on AWS, relying on security best practices and auditability.

  • Hosting facilities
    i
    Corefy currently hosts its main systems in separate data centres in Europe and in the United States provided by Amazon Web Services. We administer and manage all our servers and do not outsource any administration to third parties for payment processing.
  • 99.95% uptime
    i
    Corefy’s systems have been designed for maximum uptime through a redundant and stateless service-oriented architecture that simultaneously accepts payments on multiple physical hosting locations.
  • Monitoring
    i
    Our Internet-facing systems are probed from points all over the world at least every five minutes to assess availability. Corefy’s entire infrastructure is monitored by a series of internal monitoring platforms that alert our engineers around the clock, 365 days a year, of predictive failures, warnings and hard errors. Our overall aim is to detect and resolve issues before they can impact our transaction processing ability.
  • DDoS protection
    i
    We use technologies from well-established and trustworthy service providers to prevent DDoS attacks on our servers. These technologies offer multiple DDoS mitigation capabilities to prevent disruptions caused by bad traffic, while allowing good traffic through. This keeps our websites, applications, and APIs highly available and performing.
  • Latency
    i
    Our data centres have strategic location to serve our core geographic regions and to ensure the minimum amount of latency, experienced by our customers and their merchants. Wherever we can, we peer as close as possible to strategic Internet Exchanges to further reduce latency and the number of hops to our processing network.
  • Processing speed
    i
    Corefy’s standard real-time reporting dashboard contains SLA reports. Processing speed is typically under one second, including risk checks, depending on the speed of the underlying acquirer and/or issuer involved. It has been designed to handle large volumes including comprehensive fraud screening.
  • Scalability
    i
    Scalability is the ability of the white label payment processing solution to increase productivity. Corefy supports 200 transactions per second or 535,680,000 transactions per month. We plan to increase the flow to 1,000 transactions per second or 2,678,400,000 transactions per month.
Check Corefy’s status page

Security management

We review and observe employee, customer, and vendor activity to guard against suspicious or unauthorised activities.

  • Firewall
    i
    We filter all incoming and outgoing traffic through hardware firewalls.
  • Monitoring
    i
    We utilise both internal and external monitoring services for Corefy. The services alert both operational and security team members if there are any errors or abnormalities in application state.
  • Penetration testing
    i
    We perform rigorous automated vulnerability scans several times a week on both our Internet facing and internal infrastructure to assess our attack surface area. A team of on-staff experts and independent third parties perform intensive manual and automated penetration testing every six months.
  • Scanning
    i
    We perform ASV-certified security scans/audits, internal and external network scans, and other PCI compliance checks weekly. Also, we regularly run penetration-testing exercises and vulnerability-checks against our network.
  • Vulnerability management
    i
    All Internet-facing and internal infrastructure are aggressively patched in a tight time scale after patches for security vulnerabilities are made available by vendors.
  • Intrusion prevention system
    i
    For security enhancement, all inbound and outbound traffic from our platform is monitored by an active intrusion prevention system (IPS) which blocks the threat of common exploits and zero day attacks.

Ultimate data protection

Data protection and security are major concerns when considering information management solutions, especially when it comes to your company’s sensitive payment data. With us, you can enjoy peace of mind knowing that industry best practices are followed.

  • TLS 1.2 (SSL)
    i
    Using Transport Layer Security Protocol (TLS) version 1.2 Corefy ensures the safety of payment data during the transfer, guaranteeing a secure connection between the server and the client’s browser. The TLS protocol ensures that information is transmitted in encrypted form using the HTTPS protocol, which eliminates data interception and protects against redirection to fraudulent resources.
  • Data encryption
    i
    Cardholder data is secured by using a combination of symmetric and asymmetric cryptographic algorithms. All data is managed using multiple encryption keys with split knowledge and dual control. Data thieves would not be able to make use of information stolen from a database without also having the key.
  • Card tokenisation
    i
    We process credit card payments online without touching card data. Instead, we use tokens to process transactions, so any breach to your server will not harm cards.
  • No prohibited data storage
    i
    We don't store raw magnetic stripe, card validation code, or PIN block data.

Security is in our DNA

In an industry where trust is paramount, using sophisticated security practices gives businesses confidence that Corefy is keeping their data secure. Our team works with each of our clients to protect them, offering best practices to ensure private information stays private.

lock
  • cap

    Ongoing education

    Our Development and Engineering teams regularly train in several different areas including cryptography, OWASP Top 10 and others relevant to our platform.

  • community

    Community consciousness

    We share information security approaches locally and nationally to help shape the security community.

  • strategic approach

    Strategic approach

    Constant internal and external testing helps us identify and understand the tactics used by adversaries, and how to proactively stop them to keep data safe.

  • third party testing

    Third-party testing

    Solutions that are only secure in theory are not acceptable. We partner with third-party providers to test, attack and evaluate our security controls to confirm they work.

  • development

    Development

    Our developers work closely together with different departments. Crucially, we publish new releases of our core system every week, without any downtime or active involvement of our customers.

  • software and hardware

    Software and hardware

    Corefy is fully built on open-source software. This gives us maximum control over our software components while remaining independent of any third party. All development, system administration, networking, database administration and security activities are performed in-house by our experts.

  • proven practices

    Proven practices

    Corefy maintains a SOC 2 report, which is provided by an independent, third-party attestation and proves that we are taking the appropriate steps to protect our systems and your data.

  • strong access controls

    Strong access controls

    With data as precious as financial information, we make sure only the right people have the proper access. Utilising OAuth authentication and scoping, we transform sensitive information into a temporary and constantly changing key (or token) for robust protection.

Securing access

Corefy provides capabilities to help protect your organisation, but they are effective only if you use them. If you do not use them, you may be vulnerable.

  • two factor authetication
    Two-factor authentication. Minimise security risks and ensure peace of mind with enhanced security and protection through Corefy's PCI-compliant, two-factor authentication
    i
    Users are prompted to authenticate providing two pieces of information: their password and verification code. The additional layer of security ensures that only authorised Corefy users can access their account.
  • activity log
    Activity log. Protecting data, preserving privacy, and complying with regulations such as the GDPR should certainly be the highest priorities for any business
    i
    It's critical that you audit the entirety of data processing actions taking place to further analyse for possible security breaches.
  • role access management
    Role access management. Providing only the necessary level of access for a user to perform their role mitigates security risks and supports compliance with company policies
    i
    We understand that not every user in your organization needs full access to the Corefy app, so we support multiple distinct user permission groups with varying levels of access.
  • session management
    Session management. We store unique identifiers of user sessions as entries in the database
    i
    During the authentication process, we check the user's login and password and identify the user by IP, the device's operating system and browser.
Explore documentation

Corefy provides capabilities to help protect your organisation, but they are effective only if you use them. If you do not use them, you may be vulnerable.

costumers
Customers

  • Allow access

    Accounts, Subscriptions, Invoices, Transactions, Plans

Permissions

  • Can edit
  • Read-only
reports
Reports

  • Allow access and editing

    Dashboard, Accounts and Subscribers, Plans, Recurring revenue, Subscriber retention, Transcations, Exports

configuration integrations
Configuration & Integrations

  • Allow access and editing

    Site settings, Plans, Invoice settings, Coupons, Currencies, Taxes, Email templates, Payment gateways, Checkout settings, Dunning management, MailChimp, Salesforce

Powerful toolkit for fraud prevention

  • card green
  • card purple
  • card blue
  • card yellow
  • card red

Card number

Result

Allowed

Result

Denied

Scanning

Scanned

Our ready-made anti-fraud solutions provide you with additional security layer and help you target specific fraud issues and risks more effectively.

  • Blocking rule engine
    i
    Automatically cut off suspicious or undesirable traffic using Blocking schemes with configurable dynamic rules.
  • Smart blacklisting
    i
    After several failed attempts to complete a transaction, a payer can be added to the blacklist automatically.
  • Smart 3DS routing
    i
    Enable or disable 3DS when needed, or apply it selectively for transactions filtered by relevant parameter.
  • Third-party risk scoring
    i
    Connect your trusted anti-fraud and risk scoring systems, like Kount, MaxMind or Ravelin, for an extra layer of protection.

Full 3D Secure support

3D Secure is an authentication protocol that provides an additional layer of verification for card-not-present transactions. The protocol is compliant with authentication regulations, including the Strong Customer Authentication (SCA) mandate from PSD2.

3DS v2
3DS v1
  • Support for both 3D Secure 1 & 2
    i
    Unlike the previous version where shoppers are redirected to another site, in 3D Secure 2 the card issuer performs the authentication within your app or payment form. The shopper's identity may be verified using passive, biometric, and two-factor authentication approaches.
  • Keep your transactions SCA-compliant
    i
    With built-in support for both 3D Secure 1 & 2 authentication protocols, Corefy can help ensure your transactions meet SCA requirements.
  • Shift chargeback liability
    i
    For eligible cards, 3DS2 can move liability for chargebacks due to fraud from the merchant to the card issuer.
  • Lift authorisation rates
    i
    Data shows that issuers may approve more transactions when using 3DS2.
  • Take advantage of exemptions
    i
    Corefy's solution supports exemptions available under SCA requirements, so your customers can experience the least possible amount of friction on applicable transactions.

Card vault & Tokenisation

Enjoy safe transactions and tokenised data without any additional fees. Accept payments with or without PCI compliance thanks to our tokenisation technology, which always keeps your customers’ data secure and enables you to focus on your business.

Our powerful API gives you a huge flexibility to create payment scenarios that best fit your business needs.

Streamline the payment process and provide your customers with superior user experience.

  • Charge one card multiple times, without asking a customer to re-enter the details
  • Make a free of charge authorisation to block funds on the customer’s card to have time for customer verification using our fraud score
  • Offer one-click payments to simplify the purchasing flow
  • Create charges, subscriptions, or plans with just a few lines of code
  • Card Fingerprint
    QSHATNYPL342BT7A
  • Charge ID
    CHAR-SPBUFHTSJC4538LO2DKNT9RY
  • Fraud Score
    Safe

  • Credit card data

    ---- ---- ---- ----
    Cardholder name
    MM
    YY
    CVV

    Customer enters card data

    A customer inputs their credit card details. It can be done by using a custom form, Checkout, or directly with API.

  • Token is created on our side

    A token is created in our API and card details are sent to our token server.

  • Token is sent back to you

    The token is sent to your backend. You can securely process the payments, even without PCI compliance — leave it to us.

Secure online payments

Security of online payments is a significant concern not only for cardholders. Banks, payment service providers, platforms, and merchants (i.e. online stores) are also interested in the security of the payment process. And the reason is apparent: all the participants risk their money and reputation in case of a security breach. This safety concern leads to creating advanced means to secure transactions and prevent fraudulent activities with card data.

How it works?

Security of payment data underlies every solution of our platform. Corefy complies with the highest standards through rigorous security checks, safe data storage, staff control, and compliance with all the available regulations. We take the matter of security seriously to ensure the maximum data safety and reliability of the platform.

The new technologies are always on our radars: we assess risks and perform independent audits to ensure stability, reliability, and safety throughout the platform.

PCI DSS

Our platform complies with the strictest security standard — PCI DSS Level 1. The annual onsite audit ensures the highest levels of compliance are maintained. It also allows us to relieve the PCI burden from our customers and deal with the banks on their behalf. This compliance ensures the complete protection of our clients and their customers’ sensitive data.

VISA TPA & MRP

Being registered in Mastercard Registration Program and as VISA Third Party Agent, we provide our clients with an additional safety layer.

ISO 9001, 27001

International Organization for Standardization (ISO) is an essential point in secure online payments. Corefy has both ISO 9001 and ISO 27001 standards. ISO 9001 is the international standard specifying the requirements for Quality Management System. When used, it helps organisations demonstrate their ability to provide high-quality services and products. Corefy also possesses the ISO/IEC 27001:2013 certification of Application, Systems, People, Technology, and Processes.

Information security results in performance improvement, reduced risks, and increased customer convenience.

PSD2

We also support PSD2. The Payment Services Directive replaces the PSD dated 2007. This solution enables third-party providers to manage the bank customers’ finances with their direct permission and through enhanced authentication. According to PSD2, customers give their consent both for individual transactions and for TPP’s to fully access their information stored in the bank.

GDPR

GDPR is aimed to protect the personal data and privacy of European Union citizens. The pan-European regulation ensures that clients’ identity details are collected only when they have given explicit and reasonable consent.

Secure payment methods

Our payment orchestration platform uses 3D Secure technologies (both 1 and 2). This helps to verify a cardholder’s identity in real-time and make each transaction secure. After entering the card number, its owner is redirected to the issuing bank server. Usually, after that banks send an SMS with a secret code to be used as a confirmation. When the received code is entered, the cardholder’s identity is confirmed and the transaction is authorised. For instance, the Mastercard uses the Masterсard SecureCode to secure all financial procedures.

Credit cards

Corefy enables you to accept online payments via tokenisation technology. It protects the customer’s data and allows business owners to focus on development. Our powerful API enables merchants to charge one credit card many times without the need to re-enter the payment details. It becomes feasible to perform a free of charge authorisation due to our fraud score. We also offer one-click payments to facilitate the purchasing process and increase your customers’ satisfaction.

Fraud prevention

Our platform entails a system that evaluates transactions online and detects suspicious ones. After a thorough analysis of each transaction, the system recommends rejecting or applying an additional check. In case of a fraud suspicion, the system can prevent money debiting.

Corefy anti-fraud system can operate according to different parameters:

  • limits on transactions from one IP address;
  • restrictions on the amount;
  • number of purchases;
  • constantly changing algorithm;
  • assessment of customer behaviour in the payment flow;
  • transactions based on statistics, etc.

Anti-fraud evaluates all operations and identifies the abnormal and suspicious ones. It is also capable of identifying a fraudster with the maximum degree of probability or defining buyers’ card transactions as trusted.

Enjoy secure payments processing without putting your funds, reputation, and customers’ sensitive data in jeopardy.

Routes to explore more