TOP

Security & PCI Compliance

At Vin65 we take security very seriously and we ensure that our partners like Amazon (where our servers are stored) and merchant partners are properly handling security as well. We adhere to the PCI compliance standards outlined by the PCI Compliance Standards Council for the storing, processing, and trasmission of credit card data and cardholder information.

Vin65 regularly performs ongoing [quarterly] 3rd party PCI compliance scans to maintain PCI complinace and provide clients with the appropriate documents verifying our compliance. The following documents can be downloaded and provided to vendors such as: merchant providers/gateways, banking institutions, or PCI scanning vendors

Vin65's Attestation of Compliance (AOC) and latest quarterly scan

PCI Latest Quarterly Scan PCI Latest Quarterly Scan

PCI SAQ-DSP 3.2 Attestation of Compliance (AOC) Signed Document PCI SAQ-DSP 3.2 Attestation of Compliance (AOC) Signed Document

PCI Attestation of Scan PCI Attestation of Scan


Security & Compliance FAQs

  1. What is PCI Compliance?
  2. Is Vin65 PCI Complaint?
  3. Do you have signed documents that Vin65 is PCI compliant?
  4. What is a PCI SAQ-D?
  5. How are is credit card data handled in Vin65?
  6. How are Vin65's databases secured?
  7. How are Vin65's servers secured?
  8. My PCI Compliance Scan failed, what should I do?
  9. What are Vin65's URLs and IP Addresses?

What is PCI Compliance?

PCI-DSS [Payment Card Industry Data Security Standard] is the global data security standard that any business of any size must adhere to in order to accept payment cards, and to store, process, and/or transmit cardholder data. Businesses must perform regular scans to ensure their ongoing adherence to PCI compliance standards. For more information please see the following resources:

PCI Compliance Standards Council: https://www.pcisecuritystandards.org

ComplianceGuide.org: https://www.pcicomplianceguide.org/pci-faqs-2/

Top Of Page

Is Vin65 PCI Compliant?

Yes. Vin65 complies with PCI compliance standards. To maintain this compliance a PCI SAQ-D scan is done quarterly by a 3rd party service to valid that the system is still maintaining PCI compliance standards.

Top Of Page

Do you have signed documents that Vin65 is PCI compliant?

Yes. You can download our PCI SAQ-D Attestation of Compliance and  our latest quarterly scan below.

PCI Latest Quarterly Scan PCI Latest Quarterly Scan

PCI SAQ-DSP 3.2 Attestation of Compliance (AOC) Signed Document PCI SAQ-DSP 3.2 Attestation of Compliance (AOC) Signed Document

PCI Attestation of Scan PCI Attestation of Scan

Top Of Page

What is a PCI SAQ-D?

Vin65 uses the PCI Security Councils SAQ or Self Assessment Questionnaire (SAQ-D) to ensure that Vin65 systems adhere to the standards set out for PCI compliance. Part of this document is the attestation of compliance that your bank or other vendors may require to provide proof that Vin65 is compliant, this document is available for download at the top of this page.

Top Of Page

How are is credit card data handled in Vin65?

Credit card data is stored for clubs, recurring transactions, and refunds. Credit cards data is encrypted and is never exposed. Vin65 uses a Triple DES [3DES] encryption algorithm for credit cards. Learn More >

 

Top Of Page

How are Vin65's databases secured?

Vin65's databases are in a DMZ behind a VPN which ensures that there is no direct access to our production or staging databases.

 

Top Of Page

How are Vin65's servers secured?

Vin65's servers are hosted with Amazon's cloud based web services (AWS) which are Level 1 PCI-DSS certified. This means that Amazon's compliance covers all requirements as defined by PCI DSS for physical infrastructure service providers where the physical servers are housed. Learn More >

 

Top Of Page

My PCI Compliance Scan failed, what should I do?

First review the full scan report that was sent to you by your PCI compliance scan provider. The most common failure notice, and one that you can address, is failure due to TLS 1.0 open connections.

What you should know

TLS 1.0 connections are being phased out over the next few years, however all major eCommerce providers still use these connections for some functions. These connections are still PCI compliant if a risk mitigation plan is in place by the eCommerce provider during the transition period. A vast sector of web users have not yet updated their browsers and continue to use TLS 1.0 only systems.

Existing software and systems have a grace period (June 30th, 2018) to update their systems as customers and browsers work to update to newer systems. These open connections can be used by existing software vendors as long as a risk mitigation plan is in place for the transition period.

How can I resolve this on my scan?

During this transition period your scan provider needs to know the steps that your eCommerce provider [Vin65] is taking to provide a secure environment during this period and has a risk mitigation plan in place. Please download and modify any bold text in the document below and send it to your scan provider for TLS 1.0 PCI failures. 

PCI TLS Connection Risk Mitigation Plan PCI TLS Connection Risk Mitigation Plan

 
Top Of Page
 

What are Vin65s URLs and IP Addresses?

The Vin65 platform is comprised of several applications all running on different URL's and IP addresses. The platform is hosted in Amazon's Cloud infrastructure and by design all IP Addresses are dynamic and may change at any time.

If you work for a large company, enterprise or operate on a shared network, there may be enforced network or internet security by restricting access to only pre approved URLs that are whitelisted. To ensure the Vin65 platform applications will work you will need to either whitelist the wildcard *.vin65.com to approve all URLs or whitelist the list of URLs in use below if wildcards are not permitted. Permitting access by IP address is not available as the IP address are dynamic and change frequently.

If your payment gateway is Chase Paymentech, you will need to register all Vin65 outbound IP addresses with Chase to ensure payment transactions will go through. See below for the list of IP addresses to register.

Wildcard domains to whitelist
*.vin65.com

Entire list of URLs to whitelist - if wildcard is not permitted.

Austrailan Clients
siteadmin.aus.vin65.com
siteadmin1.aus.vin65.com
siteadmin2.aus.vin65.com
pos.aus.vin65.com
webservices.aus.vin65.com
sftp.aus.vin65.com
 

North America and all other Regions
siteadmin.uswest.vin65.com
siteadmin.uswestvpc.vin65.com
siteadmin20.uswest.vin65.com
siteadmin21.uswest.vin65.com
siteadmin22.uswest.vin65.com
siteadmin23.uswest.vin65.com
siteadmin24.uswest.vin65.com
siteadmin25.uswest.vin65.com
siteadmin26.uswest.vin65.com
siteadmin27.uswest.vin65.com
siteadmin28.uswest.vin65.com
siteadmin29.uswest.vin65.com
siteadmin30.uswest.vin65.com
siteadmin31.uswest.vin65.com
siteadmin32.uswest.vin65.com
pos.vin65.com
pos.uswest.vin65.com
pos.uswest2.vin65.com
webservices.vin65.com
webservices.uswest.vin65.com
sftp.uswest.vin65.com
rms.uswest.vin65.com
rmsshipping.uswest.vin65.com

 

Outbound IP addresses. (Required by Chase Paymentech)
54.241.148.236 - added June 13th 2013
54.241.167.233 - added June 13th 2013
52.36.209.90 - added February 16th 2016
52.41.45.172 - added June 21st 2016

 


 

Top Of Page