Customer: Base Commerce

Region: US

Challenge: Validate that CypherPay™ reduces PCI DSS scope in a merchant environment

Solution: Audit and Assesment Services

basecommerce.com

“We’re looking forward to working closely with Sysnet for many years to come. The flexibility, quality and professionalism of all the employees at Sysnet is top notch.

I would absolutely recommend working with Sysnet. If your company is forward-looking and wanting to make the most of cutting-edge technology, Sysnet is the company you want to be partnered with for your compliance certifications, and other information security services.”


Zachary Walker, Data Security Analyst at Base Commerce.

Base Commerce partners with Sysnet to test its CypherPay™ Solution.

Base Commerce was established in 2008 by John Kirchhefer and Brian Bonfiglio, veterans of the automated clearing house (ACH) industry and owners of Check Gateway – an ACH processing specialist. Originally named Phoenix Payments after Phoenix, Arizona where the company is located, Base Commerce was created in order to have a separate entity focused entirely on processing credit card payments.

The business grew slowly until 2012 where there was a major push in developing the business and separating Phoenix Payments from Check Gateway. This involved moving the company into its own facility and gaining rapid growth by acquiring competitor, Teledraft, and utilising all its assets. Then in 2013, to cap off an exciting year of growth, Phoenix Payments acquired the name ‘Base Commerce’ and continued to expand throughout the decade with new offices and a merging of both Base Commerce and Check Gateway.

An increase in growth naturally led to an increase in clients relying on Base Commerce to process credit card payments. In turn, it is important that Base Commerce ensures its partners have a high-level of security so that data is protected during the payment process and the merchants remain PCI DSS compliant. In response, Base Commerce developed its CypherPay™ E2EE (end-to-end encryption) payment solution.

Base Commerce sought independent assurance that CypherPay™ could meet the stringent data security requirements required to reduce the scope of PCI DSS compliance in their merchants’ environments. This is when PCI compliance expert, Sysnet Global Solutions, came to help.

Illustrating that CypherPay™drastically
reduces risk.

When Base Commerce developed CypherPay™ it did so with the intention of securing the online payments landscape for its merchants and software partners. Base Commerce wanted to illustrate that by utilising its product, the user can drastically reduce the risks to its company and merchants.

Base Commerce needed to collaborate with the right partners to deliver advanced technology, that was not only simple to set-up and follow but also offered lasting value. Zachary Walker, a Data Security Analyst for Base Commerce, noted that “the growing threat landscape that the payments industry is facing is constantly evolving. If a system or process is too complicated, then it will inevitably lead to gaps and shortcuts being taken by the user. This introduces vulnerabilities into the user’s security ecosystem.”

This is what CypherPay™ aimed to solve, however Base Commerce is not a security expert but a payments one. So, Zachary spearheaded a certification initiative and sought out the advice of a company that had experience in both the payments industry and security, which fit Sysnet’s portfolio splendidly.

Selecting the right partner.

Base Commerce had been working with Sysnet for a number of years on its PCI DSS Level 1 Certifications, and so knew it had the expertise needed to assist in testing and verifying how the CypherPay™ solution met the rigorous needs of the online payments landscape.

This wasn’t the only reason that Base Commerce chose Sysnet as its partner though. Sysnet needed to prove that it understood the high-level architecture being used in the product. To do this, the solution was submitted for Sysnet’s analysis process. The results from this technology analysis gave Base Commerce the confidence to proceed with Sysnet as a partner.

Zachary says of this process:

“Once we received confirmation from Sysnet that our technology was a great idea, we had the confidence to jump in with both feet and further our partnership with Sysnet.”

Sysnet conducted an expert evaluation of the CypherPay™ solution. This evaluation covered many areas of the product, including validation of the encryption mechanisms from encryption endpoints to the Base CDE decryption environment, cryptographic key management principles alignment with NIST 800-57 and PCI SSC P2PE version 2.0 rev1.1, and the implementation of PKI for payload encryption and decryption.

Sysnet also reviewed the implementation of secure communication channels using TLS 1.2, conducted forensic level inspection of end point systems to determine the existence of any latent cardholder data or sensitive authentication data post authorization to transactions, and performed transactions for each of the envisaged payment channels, including POS, POI and e-Commerce-based transactions.

According to Jeff Montgomery, SVP – Cyber Risk at Sysnet
“CypherPay™ exceeded the required standards in all areas.”

Base Commerce
and Sysnet; A partnership that will last for many years.

Following this evaluation, Sysnet documented all its findings into a whitepaper that is now available on the Base Commerce website.

For Base Commerce, it was a fantastic opportunity to be able to pursue this initiative while conducting normal PCI DSS Level 1 Audit, without having to supply many of the same documents twice.

Zachary says: “Our experience working with Sysnet was phenomenal. All the Auditors, QA, Marketers, et cetera, were a pleasure to work with.”

“There are always going to be little snags and challenges to overcome when you are doing something so innovative for the first time,” Zachary continues. “Being able to consult with Qualified Security Assessors from around the globe made solving those challenges easy.”

Base Commerce achieved something that very few, if any, systems had achieved. It had proven to its stakeholders in the payment ecosystem that the CypherPay™ solution can and does dramatically reduce the merchant’s security risk when implemented. It ensured that there would be an increase in PCI compliance amongst its partners. And, this could not be achieved without the support of Sysnet’s security professionals.

Of the partnership, Zachary says: “We’re looking forward to working closely with Sysnet for many years to come. The flexibility, quality and professionalism of all the employees at Sysnet is top notch.

I would absolutely recommend working with Sysnet. If your company is forward-looking and wanting to make the most of cutting-edge technology, Sysnet is the company you want to be partnered with for your compliance certifications, and other information security services.”

Main Benefits:

  • Seamless working partnership
  • Tested and verified the solution
  • Assessed before committing to the solution
  • Able to pursue the initiative while conducting normal PCI DSS Level 1 Audit
  • Proven to stakeholders that the CypherPay™ E2EE solution reduces security risk and ensures an increase in PCI compliance amongst Base Commerce’s partners.

About
Sysnet Cyber Risk.

Sysnet is a global cyber security company, currently providing assessment and consulting services across more than 60 countries. Established in 1989, we have built a reputation for helping clients achieve compliance in a cost effective manner, adopting a uniquely pragmatic and business focused approach.

Sysnet offers a range of information security services including PCI DSS, PSD2, GDPR, ISO27002, HIPAA, Sarbanes Oxley, POPIA, FedRAMP, SWIFT and other internationally defined standards. Proudly boasting a wide client base that includes global commercial organisations, acquirers, ISOs, international banks and payment service providers, Sysnet is Headquartered in Dublin, Ireland.

Connect with Sysnet on LinkedIn, follow us on Twitter. Subscribe to our Blog.

To learn more about our

Audit & Assessment Services

REQUEST A CALLBACK