Recurly is PCI-DSS Level 1 compliant, and recognized on the Visa Global Registry of Service Providers. We meet or exceed all industry-standard payment security practices to protect you and your customers.
The Payment Card Industry Data Security Standard (PCI-DSS) provides a framework for developing a robust security process for credit card transactions. Any merchant or merchant service provider accepting, transmitting, and/or storing cardholder data must be PCI compliant.
Adheres to the PCI Data Security Standard for Service Providers.
Follows industry-standard secure coding guidelines.
Hosts data in dedicated facilities with 24x7 security.
Recurly is PCI-DSS Level 1 compliant, a standard that specifies best practices and various security controls. Cardholder data is sent directly to Recurly to minimize risk to your business. Recurly provides a secure environment that goes above and beyond industry security standards and guidelines.
All organizations processing credit card information, regardless of their deployment model, are required to be certified. Your merchant bank account requires your business to be PCI compliant, and Recurly helps you meet those requirements.
Sensitive information is stored using several layers of encryption in a segmented network with no public internet access. New encryption keys are generated on a daily basis, and existing keys are rotated on a regular basis. Sensitive information is encrypted by an SSL connection when in transit over public networks with SSL connections limited to TLSv1, TLSv1.1, and TLSv1.2.
Recurly application development follows industry-standard secure coding guidelines. Application is segmented by function to maintain security.
Recurly is hosted in a dedicated hosting environment with 24x7 security. Physical access to the network is strictly limited and monitored. Private networks are strictly segmented according to function. Restrictive firewalls protect communication entering the network and between private networks. All access to Recurly's network and services is strictly logged. Audit logs are reviewed on a regular basis. Internal and external network penetration tests are performed on a regular basis by third-parties. Two-factor authentication and strong password controls are required for administrative access.