Topic: Security level of ConfTool Servers  (Read 34831 times)

Our bank asks about the security level of ConfTool and the HTTPS transfer.

We use Sectigo RSA Extended Validation Certificates with TLS v1.1, v1.2 and v1.3 256 bit AES (1024 bit DHE_RSA/SHA) encryption or higher. Lower encryption is not supported. See: https://www.ssllabs.com/ssltest/analyze.html?d=conftool.net

All servers run on a current Linux server version. We check daily for security updates and install them the same day. Access to the servers is only possible via secure transfer. We use two-factor authentication whenever possible.

We do monthly PCI scans by Sectigo (HackerGuardian PCI Compliance Scanning 2.0) https://sectigo.com/resource-library/hackerguardian-2-0 (a corresponding report will be sent to you upon request). All servers are secured with firewalls and run only versions of the installed services that are considered as secure.

If you are using an online payment gateway for credit card payments, we also meet the PCI DSS security requirements (as service provider SAQ D for PCI DSS V3.2.1) related to that gateway.
However, we are not generally PCI DSS certified as payment processor. We do not store or process credit card data.
Please note that conference organizers also might require a PCI compliance test, as they have access to all data stored in their ConfTool installation.