Security and Compliance at Finix

Finix is certified as a Level 1 Payment Card Industry Data Security Standards (PCI DSS) compliant Service Provider. This is the most stringent level of security certification available in the payments ecosystem.

As part of our commitment to the Payment Card Industry's Data Security Standards (known as PCI DSS), Finix complies with the annual requirement of an independent data security assessment performed by a Qualified Security Assessor (QSA). Our most recent PCI DSS Attestation of Compliance (AoC) is available by request under a signed non-disclosure agreement with Finix.

Additionally, Finix undergoes regular vulnerability scanning and penetration testing which is performed by an Approved Scanning Vendor (ASV). All material findings are documented, reviewed, and remediated within a timely manner from discovery, per industry-recognized vulnerability remediation timelines.

The guide details the different practices Finix maintains to secure our payments platform.

For more info about PCI DSS Compliance, see our blog post Everything You Need to Know About PCI Compliance.

SOC 2 - Type 2 Compliance

SOC (System and Organization Controls) 2 defines a standardized set of objectives designed for any Software-as-a-Service (SaaS) company that stores, transmits, and/or processes customer data in the cloud.

SOC 2 - Type 2 specifically refers to an auditor’s report that measures the effectiveness of a company’s internal controls over a defined period of time.

Our most recent SOC 2 - Type 2 report, relevant to the domains of security, availability, and confidentiality of data, is available by request under a signed non-disclosure agreement with Finix.

SOC 1 - Type 2 Compliance

Finix’s SOC 1 - Type 2 report provides an independent assessment of our internal controls that are relevant to our customers’ internal controls over their financial reporting.

Our SOC 1 - Type 2 Report covers internal controls in the domains of risk management, logical access, change management, data availability, and data security. This report is available by request under a signed non-disclosure agreement with Finix.

Secure Connections

Finix uses HTTPS (Hypertext Transfer Protocol Secure) connections for all of our services, including our APIs and Dashboard.

Finix's API is designed to reject unencrypted HTTP connections and uses a Transport Security Layer (TLS) and Secure Sockets Layer (SSL) to securely transport and transmit data. TLS and SSL are important as they help prevent payment card details and personally identifiable information (PII) from being exposed while in transit over an internet connection.

Encrypting Sensitive Data

Sensitive data is never rendered in plain-text. All of our customers' sensitive data is encrypted using complex cryptographic algorithms.

Access to encryption keys is restricted to authorized Finix personnel responsible for securing, operating, and maintaining the platform.

Tokenizing Payment Cards

Tokenization is the process of replacing sensitive data, such as credit card numbers, with non-sensitive strings of data that can be authenticated, decrypted, and translated by the provider of the token. When transacting through the Finix Gateway, we tokenize all payment card data and store the actual encrypted card values in our secure PCI DSS compliant server.