Secure Online Payment

Introduction
The following describes the security techniques used by iCheckGateway.com to protect sensitive merchant and client information from potential threats both virtual and physical to provide secure online payment processing for both ACH processing and credit card processing.

SSL Encryption
A Secure Sockets Layer (SSL) Certificate enables encryption of sensitive information during online transactions. Each SSL Certificate consists of a public key and a private key. The public key is used to encrypt the data being transmitted through an Internet browser to a website and the private key is used to decrypt the transmitted information by the web server. During this transaction, a SSL handshake authenticates the website server and the client browser creating an encryption method with a unique session key, initiating secure communication.

True 128 bit SSL Certificates enable the system to offer the strongest SSL encryption available. Even though various SSL certificates are capable of 128-bit or 256-bit encryption, certain older browsers and operating systems are unable to connect at these levels.

iCheckGateway.com utilizes an Extended Validation SSL Certificate issued by the most widely trusted Certificate Authority, VeriSign. VeriSign is the SSL Certificate provider of choice for over 95% of the Fortune 500 and the world’s 40 largest banks. The extended validation process is a rigorous business authentication practice that ensures business validity. Users of iCheckGateway.com will notice the Green address bar, validated certificate, and VeriSign site seal in place for maximum trust and security.

Login Authentication
User account credential details for all iCheckGateway.com merchants and clients are protected. Passwords are not stored on the website, nor are they ever transmitted across the Internet.

iCheckGateway.com utilizes an authentication algorithm that produces an irreversibly encrypted CypherString from which the original password data cannot be reproduced. Only this CypherString is stored by the system. For example, when a new account is created, the user password is irreversibly encrypted and the resulting CypherString is stored. Then during the login authentication process, the user will input their username and password through a secure SSL connection. The entered password then is also irreversibly encrypted and the resulting CypherString is compared with the stored CypherString to determine authentication approval. User passwords remain confidential at all times. Access to any account is not possible with the use of a CypherString because the irreversible encryption of a CypherString will never yield the same as an original password.

Account Number Security
Checking account numbers for all transactions are protected. No checking account numbers are stored by the website in a readable format and all account numbers are always collected and/or transmitted through the secure channels of an SSL encrypted connection. iCheckGateway.com follows the Advanced Encryption Standard (AES) for all account numbers in the system.

The AES is an encryption standard based on the Rijndael Cypher that was announced by the National Institute of Standards and Technology (NIST) on November 26, 2001 after a 5 year standardization process in which fifteen competing designs were presented and evaluated. The US Government adopted this standard and in 2003 announced that AES may be used to protect classified information.

Virtual System Security
iCheckGateway.com is Payment Card Industry Data Security Standard (PCI DSS) Compliant. The PCI security standards are technical and operational requirements that were created to help organizations that process payments prevent fraud, hacking, and other security threats and vulnerabilities. The PCI set of standards was developed and is enforced by the founding members of the PCI Council (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc).

To certify PCI Compliance and to maintain awareness of potential issues as they arise, iCheckGateway.com subscribes to Trustwave Information Security & Compliance which routinely performs internal and external vulnerability scanning, penetration testing, application review, intrusion detection, web content monitoring, and alert notification.

Physical System Security
Physical access to iCheckGateway.com is controlled 24 hours daily and access is highly restricted. Our data centers are PCI compliant and SAS 70 Level 2 compliant. Data is stored securely and redundantly at all times.