Security

PCI Compliance

GLASS COMMERCE's payment processing is PCI Compliant. To be PCI Compliant, GLASS COMMERCE never sees (or has access to) card data at all. All payment processing on GLASS COMMERCE is managed by PayPal. PayPal has been audited by an independent PCI Qualified Security Assessor (QSA) and is certified as a PCI Level 1 Service Provider. This is the most stringent level of certification available in the payments industry. GLASS COMMERCE uses one of PayPal's recommended payments integrations to collect payment information, which is securely transmitted directly to PayPal without having them passing through GLASS COMMERCE servers.

To know more about how GLASS& COMMERCE uses PayPal for security click here.

To know more about how PayPal is certified as a PCI Level 1 Service Provider click here.

Platform Security

Application Security

All of the application infrastructure for GLASS COMMERCE is running on open-source software CS-CART, entirely hosted on our servers without any third-party access to the code. CS-CART uses hashing algorithms (SHA-256) in password management to strengthen and encrypt sensitive data. It improves and avoids cross-site scripting (XSS) attacks by making the data escape from the client code.

To know more about CS-CART Security click here.

Data Security

All data is stored in certified databases managed on-location by authorized GLASS COMMERCE developers, which implement security measures to ensure that the data is fetched and delivered with encryption on both sides. The database is backed up periodically and every transaction and updates are made using File Transfer Protocol with secure channels.

Secure Data Transfer

Our extensions and web front-ends are all configured to use the latest TLS version with a valid, signed, domain-specific certificate and a strong set of cryptographic protocols. Our encrypted-by-default philosophy also means that we don't support fall-back to unencrypted communications (e.g. https -> http). Hence when the users visit any webpage in GLASS COMMERCE, it is SSL Encrypted with private keys enabled for each session.

Data Classification

We classify data according to the type and sensitivity and use that classification to define which systems are authorized to access and store different types of data. The data sensitivity is used in the risk assessment process to determine the appropriate level of security controls. Backup and retention of data is defined as part of this process.

People Security

Database Access Controls

Direct access to databases and backups is limited to GLASS COMMERCE developers and executive personnel. Access to sensitive data is limited strictly to people who need it to do their jobs. We review access periodically and offboard people who no longer need access. Each developer has unique credentials and a single-login method is enforced. These databases are only accessible through a GLASS COMMERCE controlled Database Console.

Role-Based Access Control

GLASS COMMERCE employs role-based access controls to servers containing application data. Authorized employees must use individual account and authentication credentials to gain access. GLASS COMMERCE controls access to servers and data stores through authentication handled with key-based SSH sessions. We operate on the Principle of Least Privilege, which means access to a system is only granted if absolutely required to serve a legitimate business need. Our employees only have access to data and systems they need to do their job. GLASS COMMERCE requires security awareness training for all employees. GLASS COMMERCE will ensure that only authorized personnel login and that access is removed in timely fashion.

User Authentication

COMMERCE users must authenticate with an email and password. Password are stored as cryptographic hashes in the database with the data handled by limited number of GLASS COMMERCE developers. Each login has lowered session time and hence when a user is inactive in the account, the session is canceled.

Personnel Security

GLASS COMMERCE has formalized hiring policies and procedures, performance management, and termination practices. Access to company systems is removed as soon as possible once it is no longer needed. GLASS COMMERCE conducts comprehensive pre-hire background checks.

Process Security

Application Development Security

Our developers review secure coding standards applicable to the environments, languages, and platforms they are working in. These standards include ensuring access control of data, sanitizing input/output values, and logging violations that could indicate an attack or vulnerability.

Data Retention

Data we receive from government agencies belongs to them, not to GLASS COMMERCE. Government agencies are able to export they spent data at any time.

Cybersecurity

All data is stored in a certified database managed on-location by authorized GLASS COMMERCE developers, which implement security measures to ensure that the data is fetched and delivered with encryption on both sides. The database is backed up periodically and every transaction and update is made using File Transfer protocol with secure channels.

Our extensions and web front-ends are all configured to use the latest TLS version with a valid, signed, domain-specific certificate and a strong set of cryptographic protocols. Our encrypted-by-default philosophy also means that we don't support fall-back to unencrypted communications (e.g. https -> http). Hence, when the users visit any webpage in GLASS COMMERCE, it is SSL Encrypted with private keys enabled for each session.

We classify data according to the type and sensitivity. We then use that classification to define which systems are authorized to access and store different types of data. Data sensitivity is used in the risk assessment process to determine the appropriate level of security controls. Backup and retention of data are defined as part of this process. GLASS COMMERCE has also implemented Two Factor-Authorization for admin users and vendors.

Defense against cyber attack

FastComet is our server provider that is handling the GLASS COMMERCE cybersecurity capabilities. FastComet uses DNS and DDoS Protection, an Artificial Intelligence Firewall, daily automated backup and secure account isolation to protect our website from any threats. FastComet has a global defense network that counteracts botnet attacks, exploits, malicious traffic, spam, DNS and HTTP/S DDoS attacks and many other threats protecting all types of websites, while also improving performance.


Last Updated: October 15, 2020.