Security & PCI Compliance
At WineDirect we take security very seriously and are pleased to announce the achievement of Payment Card Industry Data Security Standard (PCI DSS) Service Provider Level 1 Compliance. Level 1 demonstrates the most stringent compliance standard for the safe handling of credit cardholder data. We also ensure that our partners like Amazon (where our servers are stored) and merchant partners are properly handling security as well. We adhere to the PCI compliance standards outlined by the PCI Compliance Standards Council for the storing, processing, and trasmission of credit card data and cardholder information.
WineDirect regularly performs ongoing [quarterly] 3rd party PCI compliance scans to maintain PCI compliance and can provide clients with the appropriate documents verifying our compliance.
PCI-DSS [Payment Card Industry Data Security Standard] is the global data security standard that any business of any size must adhere to in order to accept payment cards, and to store, process, and/or transmit cardholder data. Businesses must perform regular scans to ensure their ongoing adherence to PCI compliance standards. For more information please see the following resources:
PCI Compliance Standards Council: https://www.pcisecuritystandards.org
At WineDirect, we take security very seriously and are pleased to announce the achievement of Payment Card Industry Data Security Standard (PCI DSS) Service Provider Level 1 Compliance. Level 1 demonstrates the most stringent compliance standard for the safe handling of credit cardholder data. The Attestation of Compliance after a rigorous 8 month audit process. You can rest easy knowing WineDirect has satisfied adherence to the same expectations as platforms such as Shopify and BigCommerce.
Yes. You can request these documents by emailing email@example.com
Credit card data is stored for clubs, recurring transactions, and refunds. Credit cards data is encrypted and is never exposed. WineDirect uses a Triple DES [3DES] encryption algorithm for credit cards. Learn More >
WineDirect's databases are in a DMZ behind a VPN which ensures that there is no direct access to our production or staging databases.
WineDirect's servers are hosted with Amazon's cloud based web services (AWS) which are Level 1 PCI-DSS certified. This means that Amazon's compliance covers all requirements as defined by PCI DSS for physical infrastructure service providers where the physical servers are housed. Learn More >
First review the full scan report that was sent to you by your PCI compliance scan provider. The most common failure notice, and one that you can address, is failure due to TLS 1.0 open connections.
What you should know
TLS 1.0 connections are being phased out over the next few years, however all major eCommerce providers still use these connections for some functions. These connections are still PCI compliant if a risk mitigation plan is in place by the eCommerce provider during the transition period. A vast sector of web users have not yet updated their browsers and continue to use TLS 1.0 only systems.
Existing software and systems have a grace period (June 30th, 2018) to update their systems as customers and browsers work to update to newer systems. These open connections can be used by existing software vendors as long as a risk mitigation plan is in place for the transition period.
How can I resolve this on my scan?
During this transition period your scan provider needs to know the steps that your eCommerce provider [WineDirect] is taking to provide a secure environment during this period and has a risk mitigation plan in place. Please download and modify any bold text in the document below and send it to your scan provider for TLS 1.0 PCI failures.
The WineDirect platform is comprised of several applications all running on different URL's and IP addresses. The platform is hosted in Amazon's Cloud infrastructure and by design all IP Addresses are dynamic and may change at any time.
If you work for a large company, enterprise or operate on a shared network, there may be enforced network or internet security by restricting access to only pre approved URLs that are whitelisted. To ensure the WineDirect platform applications will work you will need to either whitelist the wildcard *.vin65.com to approve all URLs or whitelist the list of URLs in use below if wildcards are not permitted. Permitting access by IP address is not available as the IP address are dynamic and change frequently.
If your payment gateway is Chase Paymentech, you will need to register all WineDirect outbound IP addresses with Chase to ensure payment transactions will go through. See below for the list of IP addresses to register.
Domains to whitelist
Entire list of URLs to whitelist - if wildcard is not permitted.
North America and all other Regions
Outbound IP addresses. (Required by Chase Paymentech)
126.96.36.199 - added June 13th 2013
188.8.131.52 - added June 13th 2013
184.108.40.206 - added February 16th 2016
220.127.116.11 - added June 21st 2016