Encryption
The SECC Texas Giving security model is based on web standards for e-commerce and online transaction applications. Every page on SECC Texas Giving is encrypted by Amazon with a 256 bit browser to server encryption level. Sensitive information such as social security numbers and private employee identification numbers are further encrypted in the database rendering the information useless to would be hackers. Sensitive information is held on the web servers only so long as it is needed and then permanently deleted during the workflow process. SECC Texas Giving employs the NSA approved AES 256bit encryption which is used for top secret materials. Because SECC Texas Giving uses a strong cypher key, something random and not prone to dictionary attacks, the possibility of decrypting AES 256 material is 1 in 1.1579209e+77 combinations (that is 70,000,000,000,000,000,000,000,000 times more combinations than there are atoms on planet earth). AES 256 bit encryption is considered unbeatable and is the industry standard.
Credit Card Security
SECC Texas Giving does not store or house any credit card information. SECC Texas Giving is PCI compliant and has active site monitoring through a trusted third party PCI auditing firm which provides information as to necessary changes required in order to maintain PCI compliance.
The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard defined by the Payment Card Industry Security Standards Council. The standard was created to help payment card industry organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise.
In order to maintain PCI compliance, GivingNexus.org undergoes quarterly audits by Alert Logic. Alert Logic mimics actions taken by would be hackers and tests for possible personal information access, links to dangerous sites, technical vulnerabilities, phishing, and other online dangers.
Physical Security
If a thief or hacker can gain physical access to a server there is no way to stop them from gaining access to the information housed on the server. Likewise natural disasters and power failures can cause severe interruptions to service as well as data corruption. To that end, SECC Texas Giving is hosted at Amazon Web Services - the AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today.
In addition to facility security and encryption, best practices regarding information flow and process help to ensure data security. Sensitive information is wiped from the system once donations have been processed. Social security numbers are not stored on an ongoing basis. Daily backups are housed on site within the secured facility. Physical backups are kept off-site in fireproof lock boxes within a secure facility (security guard, video surveillance, etc.)
Web Application Design
The web application framework is based on a custom modular framework. The custom nature of the framework allows for not only flexibility of design and implementation but also obfuscates security holes that propagate quickly on ubiquitous frameworks (this is one reason why Windows and Internet Explorer are so readily and easily exploited).
All critical data paths are secured and critical form data submissions are handled by encrypted POST versus GET. In some areas POST data is further encrypted or serialized/encrypted before being passed page to page within a session. Data interception would yield no usable information.
