Security & PCI Compliance
At Vin65 we take security very seriously and we ensure that our partners like Amazon (where our servers are stored) and merchant partners are properly handling security as well. We adhere to the PCI compliance standards outlined by the PCI Compliance Standards Council for the storing, processing, and trasmission of credit card data and cardholder information.
Vin65 regularly performs ongoing [quarterly] 3rd party PCI compliance scans to maintain PCI complinace and provide clients with the appropriate documents verifying our compliance. The following documents can be downloaded and provided to vendors such as: merchant providers/gateways, banking institutions, or PCI scanning vendors
PCI-DSS [Payment Card Industry Data Security Standard] is the global data security standard that any business of any size must adhere to in order to accept payment cards, and to store, process, and/or transmit cardholder data. Businesses must perform regular scans to ensure their ongoing adherence to PCI compliance standards. For more information please see the following resources:
PCI Compliance Standards Council: https://www.pcisecuritystandards.org
Yes. Vin65 complies with PCI compliance standards. To maintain this compliance a PCI SAQ-D scan is done quarterly by a 3rd party service to valid that the system is still maintaining PCI compliance standards.
Yes. You can download our PCI SAQ-D Attestation of Compliance and our latest quarterly scan below.
Vin65 uses the PCI Security Councils SAQ or Self Assessment Questionnaire (SAQ-D) to ensure that Vin65 systems adhere to the standards set out for PCI compliance. Part of this document is the attestation of compliance that your bank or other vendors may require to provide proof that Vin65 is compliant, this document is available for download at the top of this page.
Credit card data is stored for clubs, recurring transactions, and refunds. Credit cards data is encrypted and is never exposed. Vin65 uses a Triple DES [3DES] encryption algorithm for credit cards. Learn More >
Vin65's databases are in a DMZ behind a VPN which ensures that there is no direct access to our production or staging databases.
Vin65's servers are hosted with Amazon's cloud based web services (AWS) which are Level 1 PCI-DSS certified. This means that Amazon's compliance covers all requirements as defined by PCI DSS for physical infrastructure service providers where the physical servers are housed. Learn More >
First review the full scan report that was sent to you by your PCI compliance scan provider. The most common failure notice, and one that you can address, is failure due to TLS 1.0 open connections.
What you should know
TLS 1.0 connections are being phased out over the next few years, however all major eCommerce providers still use these connections for some functions. These connections are still PCI compliant if a risk mitigation plan is in place by the eCommerce provider during the transition period. A vast sector of web users have not yet updated their browsers and continue to use TLS 1.0 only systems.
Existing software and systems have a grace period (June 30th, 2018) to update their systems as customers and browsers work to update to newer systems. These open connections can be used by existing software vendors as long as a risk mitigation plan is in place for the transition period.
How can I resolve this on my scan?
During this transition period your scan provider needs to know the steps that your eCommerce provider [Vin65] is taking to provide a secure environment during this period and has a risk mitigation plan in place. Please download and modify any bold text in the document below and send it to your scan provider for TLS 1.0 PCI failures.
The Vin65 platform is comprised of several applications all running on different URL's and IP addresses. The platform is hosted in Amazon's Cloud infrastructure and by design all IP Addresses are dynamic and may change at any time.
If you work for a large company, enterprise or operate on a shared network, there may be enforced network or internet security by restricting access to only pre approved URLs that are whitelisted. To ensure the Vin65 platform applications will work you will need to either whitelist the wildcard *.vin65.com to approve all URLs or whitelist the list of URLs in use below if wildcards are not permitted. Permitting access by IP address is not available as the IP address are dynamic and change frequently.
If your payment gateway is Chase Paymentech, you will need to register all Vin65 outbound IP addresses with Chase to ensure payment transactions will go through. See below for the list of IP addresses to register.
Wildcard domains to whitelist
Entire list of URLs to whitelist - if wildcard is not permitted.
North America and all other Regions
Outbound IP addresses. (Required by Chase Paymentech)
22.214.171.124 - added June 13th 2013
126.96.36.199 - added June 13th 2013
188.8.131.52 - added February 16th 2016
184.108.40.206 - added June 21st 2016