Topic: Security level of ConfTool Servers  (Read 33151 times)

Our bank asks about the security level of ConfTool and the HTTPS transfer.

We use Comodo Certificates with TLS v1.0 256 bit AES (1024 bit DHE_RSA/SHA) encryption or higher. Lower encryption is not supported.

All servers run on a current Linux server version. We check daily for security updates and install them the same day. Access to the servers is only possible via secure transfer. We use two-factor authentication whenever possible.

We do monthly PCI scans by Comodo CA (a corresponding report can be sent on request), all servers are secured with firewalls and run only versions of the installed services that are considered as secure.

If you are using an online payment gateway for credit card payments, we also meet the PCI DSS security requirements related to that gateway.
However, we are not generally PCI DSS certified. We do not store or process credit card data and the requirements for the PCI DSS certificate depends on the payment gateway used and it also would require to consider the security level of our clients (the conference organizers) as well, as they have access to all data stored in their ConfTool installation. It may sound strange, but this makes it practically impossible to get a general PCI DSS certification, as we operate with many payment providers and do not want to limit the access of our clients to the data in their ConfTool installation.