BankVOD | A Billing Solutions, Inc. Product

Information Security

Our Mission:

Our Information Security Practices are designed to protect end user information in our possession. These steps include, but are not limited to, maintaining information security controls such as data encryption, firewalls, logical and physical access controls, and continuous monitoring. These controls are regularly evaluated for effectiveness by our Banking Clients against industry-standards for Financial Data and by independent security auditors.

The Premiere Mission Critical Datacenter in the Midwest

The facility is served by an industrial strength infrastructure that includes four fiber vaults and three electric power feeds, providing more than 100 megawatts of power. The building is currently the second‐largest power customer for Commonwealth Edison, trailing only Chicago’s O’Hare Airport. More than 50 generators throughout the building and multiple 30,000-gallon tanks of diesel fuel support grid power.

Miami, FL - Datacenter

Located in downtown Miami, MIA1 (36 NE. 2nd St.) is structurally designed for Category 5 hurricane survivability.

MIA1's strength makes it the premier international gateway for reaching South America and Latin America with international voice, video and data traffic. The building is outside the FEMA 100-year designated flood zone and the Miami-Dade hurricane evacuation zone.

Because of its proximity to Latin America, Miami serves as the headquarters for more than 1,400 multinational corporations.

Network neutral data center with access to hundreds of global networks
Structurally designed to withstand natural disasters making it ideal for disaster recovery and business continuity services
First stop from the overseas landing station before the NAP of the Americas
Low-latency metro connectivity to the NAP if required

System Overview

SSAE16 Type II Certified
- View Type II report
SIG
- SIG – Critical Vendor questionnaire
BankVOD Security Best Practices SANS Institute Framework:
- Understanding Security Regulations in the Financial Services Industry
Information Security and Business Continuity Management Program
- View report
External Penetration Test Report
- View report
- Remediation report
LexisNexis® Risk Solutions Privacy and Security Review for Resellers eLearning Modules Certificate
- View Certficate
BSI Insurance Policies Summary
- View Certificates
W9 Form
- View Form
Screened Subnet Topology - The most secure (and most expensive) option .In this case, the DMZ is placed between two firewalls.
DMZ
- VPN Firewall
- Web Server
Internal Network
- VPN Firewall
- Database Server
- Data Storage
- The internal network has no external IPs, so it cannot be accessed from outside the network
PCI Compliance
- SecurityMetrics certification
  - View certificate
  - View ASV Scan Report Executive Summary
- BASYS merchant certification
  - View certificate
Extended Validation SSL
- VeriSign
- How Extended Validation SSL Can Help to Increase Online Transactions and Improve Customer Confidence
- Extended Validation triggers the green address bar in high security browsers
- Up to 256‐bit encryption with 40‐bit minimum secures online transactions
- VeriSign Trust™ Seal with VeriSign Seal‐in‐Search™ maximizes click‐through and conversions
- Daily Web site malware scanning shows customers you are committed to keeping them safe
Uploaded documents are deleted from server - We delete all documents that were uploaded once the order has been successfully delivered to our client's processing center. All processed verification requests are delivered directly to the requestor.
Integrated Data Loss Prevention (DLP) solution
- Advanced Data Discovery
- Robust Data Classification
- Secure Email Collaboration
- Stringent Device Control
- Proactive Mitigation of Inside Threats
HSM (Hardware Secure Module) appliance stores and protects private keys
- SSL/TLS
- FIPS 140-2 Level 3 validated
- Tamper-evident hardware
- Compliance including GDPR, PCI-DSS, HIPAA, eIDAS, and more
- HA configuration for redundancy
Force encryption to the database Server
- Connection is encrypted between the Web Server and database Server
Host based Anti-Virus
- Host Intrusion Prevention Software (HIPS)
- Host Intrusion Detection Software (HIDS)
- Disable USB port on all hosts
- Do not allow to boot from any external peripheral device
Logs management: Tripwire Log Center
- Log and Event management for security and compliance
- Monitor drive space from a centralize location
Password policies and security features
- Must contain 10-30 characters
  - Must include at least one number
  - Must include at least one UPPERCASE letter
  - Must include at least one LOWERCASE letter
  - Must include at least one special character: `~!@#$%^&*()_+={}[]\|:;"<>,.?/-
  - Cannot contain your Login ID
- Account lockout after 5 failed attempts
- Block concurrent user connections. Users cannot login with the same login id from different locations simultaneously
- After 3 months of account inactivity, user needs to verify his/her account
- Locks end users out after 15 minutes of inactivity
- New Accounts require an End User to activate by validating the email address and entering temporary login and password, at which time they are prompted to choose a new password
- BankVOD Administrator can limit access by specifying an IP Address Range
- Ability to create a BankVOD account can be restricted by Company Name, Valid Company EMail Address and IP Address
- Passwords are stored using 'salted' SHA2 512-bit hash
- Password history, users will be prohibited from re-using the last 6 previously used passwords.
Logon/warning message displayed during initial logon process
Source code is analyzed before uploading to the production environment
Summary of the Failover/HA Configuration for Each System (Chicago & Miami)
- Web server redundancy (DMZ LAN)
  - High Availability (HA) / Failover Cluster Servers (Nodes)
  - High Availability (HA) / Failover Cluster Web servers (Virtual Machines)
  - The web server cluster is configured as an active/passive system. If the active server fails all traffic fails over to the second server automatically. In case of a hardware failure, all VMs are automatically failed over to the working node. With this setup we can minimize the down time in case of a hardware or software failure.
- Database Server redundancy (Private LAN)
  - High Availability (HA) / Failover Cluster Servers (Nodes)
  - High Availability (HA) / Failover Cluster SQL Servers (Virtual Machines)
  - The SQL server cluster is configured as an active/passive system. If the active server fails all traffic fails over to the second server automatically. In case of a hardware failure, all VMs are automatically failed over to the working node. With this setup we can minimize the down time in case of a hardware or software failure.
- File Server redundancy (Private LAN)
  - High Availability (HA) / Failover Cluster Servers (Nodes)
  - High Availability (HA) File Server Role (Virtual Role)
  - The file server role is configured as a Highly Available File Shares. There is a virtual network/IP address created by the cluster between both nodes so resources can be hosted on either node providing fault tolerance. So in the event of a hardware failure the File server role can fail over to the other node automatically.
- Fax Server redundancy
  - 1 Fax server in Chicago
  - 1 Fax server in Miami
  - Each fax server handles half of the BankVOD faxing load, inbound and outbound. If one goes down all fax numbers failover to the other server automatically and all outbound faxes keep faxing from the server that is up and running.
FCRA Permissible Use Application
- FCRA Permissible Use Form
- FCRA Additional Verification Requirements
- FCRA Audit & Training Policy