Security

Summary

Webtech Myanmar in committed to helping our merchants stay secure and compliance. We underge rigorous audits, testing, and inspections to maintain the highest level of compliance in the industry. Our talented team of in-house developers, system engineers and security administrators work to maintain strict security standards at all times.

 

This document outlines the steps Webtech Myanmar takes to secure all merchant and customer data, software and applications, and physical hardware that we utilize to operate our business and secure yours.

Network setup

Webtech Myanmar systems and security team takes a proactive approach to protect all data that is housed an and moves through our servers. Our firewalls and servers have both Intrusion Detection (IDS) and Intrusion Prevention Systems (IPS) to evaluate incoming traffic and protect against harmful actions.

Our systems and security team perform regular updates to all company systems and can respond quickly to any major vulnerability by applying patches. The company’s servers are also hardened using recommended guidelines to increase system security.

Firewalls and IDS / IPS

Webtech Myanmar security systems includes firewalls with both an intrusion Detection System and an intrusion Prevention System to protect against both active and passive threats. The systems monitor network traffic and look for any unusual behavior, abnormal traffic, or malicious coding and prevent exploitation of any potential vulnerabilities.

In addition to inclusion on Webtech Myanmar firewalls, all servers in our environment are also required to have IDS and IPS installed locally to detect and warm system administrators of unusual activity and to inspect attack data if it occurs. If suspicious activity is identified, the IPS will take the corresponding action required to protect the servers. Alerts are also sent to Webtech Myanmar security team for ongoing monitoring and review.

System Updates

The servers and networks appliances are regularly updated to ensure all software is up to date. If a major vulnerability is discovered, patches are applied immediately by Webtech Myanmar system and security team. Per our compliance, all updates are logged as part of our change-control policies.

Data Management

By trusting Webtech Myanmar with sensitive data storage, our merchants are able to shift large portions of their data security and compliance scopes away from their business. This is accomplished using a variety of available tools, including our Card Vault, Webtech Myanmar.js, hosted payment pages and developer API functionality.

Thousands of merchants trust Webtech Myanmar to secure the payment and personal information of their customers, removing their own systems from scope. Webtech Myanmar protects this data by keeping it separate from web servers.

Authentications & Access Controls

To protect access to Webtech Myanmar data and systems, our company implements strong access controls.This includes the requirement for VPN to all internal systems, controlled definition of user roles, and the requirement of multi-factor authentication. 

Daily Backups

Databases are automatically backed up daily to protect merchants against lost, corrupted, stolen or destroyed data. Backups are performed between data centers, as well as offsite. This is part of our commitment to ensuring ongoing business continuity.

Data Storage

Transaction, cardholder and merchant data is stored on segregated pools of self-replicating database clusters. Our database server architecture ensure up time and load balancing of database servers. Sensitive cardholder data is stored for up 24 months of inactivity. 

Deny-All Policies

Firewalls deployed to our server environments have deny-all policies enabled by default. All connections for inbound and outbound traffic must be approved and added as new firewall rules.

Password Protection

Webtech Myanmar uses strict password standard to ensure security. Software settings controlled by Webtech Myanmar ensure that passwords are always complex in nature, changed regularly, hashed and salted, and that users connect re-use their previous 13 passwords.

Physical Data Access

Data centers have 24/7 onsite security. Physical access to environments are limited to key personnel, with multi-factor authentication, including biometrics.

Encryption

Webtech Myanmar encrypts all sensitive merchant data and cardholder data using the Advances Encryption Standard (AES) with 256-bit keys. To meet PCI compliance requirements, all sensitive cardholder fields, including name, card numbers, expiry dates and cardholder addresses (for AVS) encrypted when stored. Webtech Myanmar does not store card-verification-values (CVV), PIN, EMV, nor mag data.

 

Information in Transit

To protect data in transit, Webtech Myanmar requires TLS version 1.2 connections to its servers, using a limited set of strong cyphers. This ensures that data is encrypted in transit and maintains its integrity. Outdated standards include SSLv3, TLSv1.0, TLSv1.1 are no longer active on our systems.

Compliance

Webtech Myanmar is a Level 1 PCI-DSS compliant service provider, which means we undergarigorous on-site audits, vulnerability,  scanning penetration testing, and inspections to maintain the highest level of compliance with the Payment Card Industry Data Security Standard (PCI-DSS). Security practices from the National institute of Standards and Technology (NIST) are also followed to maintain the highest level of data security compliance.

Service Uptime

Webtech Myanmar devotes significant resources to ensure the most up time possible for our networks and merchants. These safeguards include redundant data centers with 6 upstream fiber internet providers as well as backup power generation and dual-path power distribution systems. Data centers are in unmarked locations, with sites selected for low-risk geographic locations.

 

Multiple Data Centers

Webtech Myanmar has both a primary and a backup data center to protect merchant data. The backup data center is configured for hot-data replication of the primary data center, replicating data in real-time. In the event of an incident impacting our primary data center, Webtech Myanmar can move all services and data processing operations to the backup environment with minimal downtime and data impact.

Saas Development

Webtech Myanmar employs a talented team of in-house programmers who develop all our systems and applications. Building applications in-house ensures that they are built to Webtech Myanmar strict security standards and allows our team to work closely with QAs and security staff to identify and correct any potential issues before they become a problem.

Penetration Testing

Webtech Myanmar completes regular penetration testing to attempt to identify potential network systems and application vulnerabilities and determine whether unauthorized access or other malicious activity is possible. Penetration testing is performed both internally by Webtech Myanmar security team, and by 3rd party professionals.

Vulnerability Scanning

Regular vulnerability scanning of Webtech Myanmar networks and applications identifies potential security concerns. Per compliance requirements, Webtech Myanmar performs both internal and external network scans, with external scans performed by Approved Scanning Vendors (ASV)

Secure Coding Practices

All applications are developed in-house and Webtech Myanmar developers are training and regularly updated on the latest secure coding guidelines, including those set by the Open Web Application Security (OWASP). Internal development allows our company to maintain tight controls over coding standards, source codes and deployment cycles.