Merchant's Data Handling & Security

1. Overview

At Zuato Financial Services, security isn't just a feature—it's the foundation of everything we build. As a licensed payment acquirer handling sensitive financial transactions, we understand that trust is paramount. Your customers trust you with their payment information, and you trust us to handle it securely. This chain of trust is something we take extremely seriously.

Our security program is built on the principle of defense-in-depth, employing multiple layers of security controls to protect against various threat vectors. Every line of code, every system architecture decision, and every operational process is designed with security as the primary consideration—not an afterthought.

Our dedicated security team works around the clock to monitor, detect, and respond to potential threats. We continuously invest in the latest security technologies and regularly engage third-party security experts to validate our defenses through penetration testing and security assessments.

2. Data Handling Philosophy

Our approach to data handling is guided by a simple but powerful principle: minimize data collection and retention. We believe that the best way to protect sensitive data is to not store it in the first place whenever possible.

This philosophy manifests in several key practices:

• Data Minimization: We collect only the data that is absolutely necessary to provide our services. We do not collect or retain any information beyond what is required for transaction processing and regulatory compliance.
• Purpose Limitation: All data collected is used solely for its intended purpose. We do not repurpose data or use it for any secondary purposes without explicit consent.
• Retention Limits: We maintain strict data retention policies, automatically purging data that is no longer needed while ensuring compliance with regulatory requirements for record-keeping.
• Transit-Only Processing: For the most sensitive data, particularly payment card information, we ensure it passes through our systems only in encrypted transit—never stored at rest on our servers.

3. No Card Data Storage

One of the most critical aspects of our security architecture is our policy regarding payment card data: we do not store any card data on our systems. This is a fundamental design decision that significantly reduces security risks and simplifies compliance.

3.1 How It Works

When a customer enters their payment card details through any of our payment solutions (Payment Gateway, POS terminals, ePOS, etc.), the following process occurs:

1. Customer Entry: The customer enters their card details on a secure payment form.
2. Immediate Encryption: Card data is immediately encrypted using TLS 1.3 at the point of capture.
3. Direct Transmission: The encrypted data is transmitted directly to the card networks (Visa, Mastercard, American Express, etc.).
4. Network Processing: The card networks process the transaction with the issuing bank.
5. Response Return: An authorization response is returned through the same secure channel.

Throughout this entire process, card data exists only in encrypted transit. It is never written to disk, never stored in databases, and never retained on any Zuato system.

3.2 Card Network Responsibility

The actual storage and management of card data is handled by the card networks themselves—Visa, Mastercard, and other major networks. These organizations maintain highly secure, purpose-built vaults specifically designed to protect cardholder data. By leveraging their infrastructure, we ensure that sensitive card data is protected by the same organizations that created the security standards for the payment industry.

3.3 Tokenization

For recurring payments and stored card functionality, we use tokenization. Instead of storing actual card numbers, we store tokens—unique identifiers that can be used to process transactions but have no value if stolen. The actual card data remains securely vaulted with the card networks.

4. PII Data Protection

Personally Identifiable Information (PII) encompasses any data that could be used to identify a specific individual. At Zuato, we implement comprehensive measures to protect all PII entrusted to us by our merchants and their customers.

4.1 Types of PII We Process

In the course of providing our payment services, we may process the following types of PII:

• Customer names and contact information
• Billing and shipping addresses
• Email addresses and phone numbers
• Transaction details and purchase history
• Device and browser information for fraud prevention
• IP addresses and geolocation data

4.2 Protection Measures

We implement multiple layers of protection for all PII:

• Encryption at Rest: All PII stored in our databases is encrypted using AES-256 encryption, the same standard used by governments and military organizations worldwide.
• Encryption in Transit: All data transmitted to and from our systems is protected using TLS 1.3, ensuring it cannot be intercepted or read during transmission.
• Access Controls: Strict role-based access controls ensure that only authorized personnel can access PII, and only the minimum necessary for their job functions.
• Audit Logging: All access to PII is logged and monitored. We maintain comprehensive audit trails for compliance and security investigations.
• Data Masking: In non-production environments and logs, PII is masked or pseudonymized to prevent unnecessary exposure.
• Secure Deletion: When PII is no longer needed, it is securely deleted using methods that prevent recovery.

4.3 Data Segregation

We maintain strict segregation of data between merchants. Each merchant's data is logically isolated, ensuring that one merchant cannot access another's customer information. This segregation is enforced at the database level and verified through regular security testing.

5. Encryption Standards

Encryption is the cornerstone of our data protection strategy. We employ industry-leading encryption standards throughout our infrastructure.

5.1 Data in Transit

All data transmitted to and from Zuato systems is encrypted using:

• TLS 1.3: The latest version of Transport Layer Security, providing the strongest protection available for data in transit.
• Perfect Forward Secrecy: Even if encryption keys were compromised in the future, past communications would remain protected.
• Strong Cipher Suites: We only support strong cipher suites, automatically rejecting connections that attempt to use weak or deprecated encryption methods.
• Certificate Pinning: Our mobile applications use certificate pinning to prevent man-in-the-middle attacks.

5.2 Data at Rest

All sensitive data stored on our systems is encrypted using:

• AES-256: Advanced Encryption Standard with 256-bit keys, considered unbreakable by current technology.
• Hardware Security Modules (HSMs): Encryption keys are stored and managed in FIPS 140-2 Level 3 certified HSMs, providing tamper-resistant key protection.
• Key Rotation: Encryption keys are regularly rotated according to industry best practices.
• Envelope Encryption: We use envelope encryption where data encryption keys are themselves encrypted by master keys stored in HSMs.

6. Security Certifications

Zuato maintains the highest levels of security certifications recognized globally in the financial services and information security industries. These certifications demonstrate our commitment to security and are independently verified by accredited auditors.

Our certification portfolio includes:

7. PCI DSS Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is the global security standard for organizations that handle payment card data. Zuato is certified as a PCI DSS Level 1 Service Provider—the highest level of certification available.

7.1 What PCI DSS Level 1 Means

Level 1 is required for service providers that process, store, or transmit more than 300,000 credit card transactions annually. As a Level 1 certified provider, we undergo:

• Annual on-site assessment by a Qualified Security Assessor (QSA)
• Quarterly network vulnerability scans by an Approved Scanning Vendor (ASV)
• Annual penetration testing
• Continuous compliance monitoring

7.2 PCI DSS Requirements

The PCI DSS consists of 12 core requirements organized into six control objectives. Zuato maintains full compliance with all requirements:

1. Build and Maintain a Secure Network: Installation and maintenance of firewalls; no use of vendor-supplied defaults for passwords and security parameters.
2. Protect Cardholder Data: Protection of stored cardholder data; encryption of transmission of cardholder data across public networks.
3. Maintain a Vulnerability Management Program: Use of regularly updated anti-virus software; development and maintenance of secure systems and applications.
4. Implement Strong Access Control Measures: Restriction of access to cardholder data on a need-to-know basis; unique IDs for each person with computer access; restricted physical access to cardholder data.
5. Regularly Monitor and Test Networks: Tracking and monitoring of all access to network resources and cardholder data; regular testing of security systems and processes.
6. Maintain an Information Security Policy: Maintenance of a policy that addresses information security for all personnel.

8. ISO Certifications

In addition to PCI DSS, we maintain multiple ISO certifications that validate our comprehensive approach to information security, cloud security, and privacy protection.

8.1 ISO 27001 - Information Security Management

ISO 27001 is the international standard for information security management systems (ISMS). This certification demonstrates that we have implemented a systematic approach to managing sensitive company and customer information, including:

• Risk assessment and treatment processes
• Security policy framework
• Asset management controls
• Human resource security
• Physical and environmental security
• Communications and operations management
• Access control
• Information systems acquisition, development, and maintenance
• Incident management
• Business continuity management
• Compliance management

8.2 ISO 27017 - Cloud Security Controls

ISO 27017 provides guidelines for information security controls applicable to the provision and use of cloud services. This certification validates that our cloud infrastructure meets international security standards, addressing:

• Shared responsibility models between cloud providers and customers
• Removal and return of cloud service customer assets
• Segregation in virtual computing environments
• Virtual machine hardening
• Administrator operational security
• Monitoring of cloud services

8.3 ISO 27018 - Cloud Privacy Protection

ISO 27018 establishes commonly accepted control objectives and guidelines for protecting Personally Identifiable Information (PII) in public cloud computing environments. Our certification confirms:

• Transparency regarding PII processing
• Consent and choice mechanisms
• Purpose legitimacy and specification
• Data minimization
• Use, retention, and disclosure limitation
• Accuracy and quality
• Openness, transparency, and notice
• Individual participation and access
• Accountability

8.4 ISO 27034 - Application Security

ISO 27034 provides guidance on information security in the design, development, and deployment of application systems. This certification validates our secure software development lifecycle (SDLC) practices:

• Security requirements specification
• Secure coding practices
• Security testing methodologies
• Vulnerability management
• Security in deployment and operations
• Application security controls framework

9. Annual Audits

Security is not a one-time achievement—it's an ongoing commitment that requires continuous vigilance and regular validation. We conduct comprehensive security audits annually during Q4 (October through December) of every year to ensure our certifications remain current and our security posture continuously improves.

9.1 Audit Timeline

Our annual audit cycle follows a structured approach:

• Q1-Q3 (January - September): Continuous security monitoring, vulnerability assessments, internal audits, and implementation of security enhancements throughout the year.
• Q4 - October: Preparation phase including internal pre-audit review, documentation updates, and gap analysis to identify any areas requiring attention.
• Q4 - November: External audit phase where independent third-party auditors conduct comprehensive assessments of all security controls across all certifications.
• Q4 - December: Certification renewal phase where, upon successful completion of audits, all certifications are renewed for the following year.

9.2 Types of Audits Conducted

During our annual audit cycle, we undergo multiple types of assessments:

• PCI DSS Assessment: Conducted by a Qualified Security Assessor (QSA) to validate our compliance with all PCI DSS requirements.
• ISO Certification Audits: Conducted by accredited certification bodies for each ISO standard we maintain.
• Penetration Testing: External security firms attempt to breach our systems using the same techniques employed by malicious actors.
• Vulnerability Assessments: Comprehensive scanning of all systems to identify potential security weaknesses.
• Code Reviews: Security-focused review of application source code to identify potential vulnerabilities.
• Process Audits: Review of operational processes, policies, and procedures to ensure they meet security requirements.

9.3 Audit Reports and Attestations

Upon request, we can provide merchants with:

• PCI DSS Attestation of Compliance (AOC)
• ISO certification documents
• SOC 2 Type II reports (available under NDA)
• Penetration test executive summaries (available under NDA)

10. Banking Regulations Compliance

As a licensed payment service provider operating in the United Arab Emirates, Zuato strictly adheres to all banking regulations and security protocols mandated by financial regulatory authorities. We align our operations with the "Law of the Land"—the comprehensive regulatory framework established by the Central Bank and other governing bodies.

10.1 Central Bank Requirements

We maintain full compliance with UAE Central Bank requirements for payment service providers, including:

• Licensing and Registration: We hold all necessary licenses to operate as a payment service provider in the UAE.
• Capital Adequacy: We maintain capital reserves that meet or exceed regulatory requirements.
• Operational Standards: Our systems and processes comply with the operational standards mandated for payment service providers.
• Reporting Requirements: We submit all required regulatory reports on schedule and maintain comprehensive records for regulatory inspection.
• Consumer Protection: We adhere to all consumer protection requirements, including dispute resolution procedures and fund safeguarding.

10.2 Anti-Money Laundering (AML)

We maintain a comprehensive AML program that includes:

• Customer due diligence (CDD) and enhanced due diligence (EDD) procedures
• Transaction monitoring systems to detect suspicious activity
• Suspicious activity reporting to relevant authorities
• Record keeping in accordance with regulatory requirements
• Staff training on AML obligations and red flag indicators
• Regular independent audits of AML controls

10.3 Know Your Customer (KYC)

Our KYC program ensures that we verify the identity of all merchants before onboarding:

• Verification of business registration and licenses
• Identification and verification of beneficial owners
• Assessment of business nature and risk profile
• Ongoing monitoring of customer activity
• Periodic review and update of customer information

10.4 Sanctions Compliance

We screen all transactions and parties against international sanctions lists including:

• UAE Local Terrorist List
• United Nations Security Council sanctions lists
• US Office of Foreign Assets Control (OFAC) lists
• European Union sanctions lists
• Other applicable national and international sanctions

10.5 Data Localization

We comply with all data residency requirements, ensuring that sensitive data remains within approved jurisdictions as required by local regulations.

11. Infrastructure Security

Our infrastructure is designed with defense-in-depth principles, employing multiple security layers to protect against various threat vectors. From physical data center security to application-level controls, every component is secured.

11.1 Data Center Security

Our systems are hosted in Tier IV certified data centers that provide:

• 99.995% uptime guarantee
• 24/7 security personnel and surveillance
• Biometric access controls
• Mantrap entry systems
• Video monitoring with extended retention
• Environmental controls (fire suppression, climate control)
• Redundant power and cooling systems

11.2 Network Security

Our network architecture incorporates multiple security controls:

• Network Segmentation: Isolated network zones with strict firewall rules between segments
• DDoS Protection: Enterprise-grade DDoS mitigation capable of absorbing massive attacks
• Intrusion Detection/Prevention: AI-powered systems detecting anomalies and potential intrusions
• Web Application Firewall (WAF): Protection against common web application attacks
• VPN for Remote Access: All remote access requires VPN with multi-factor authentication

11.3 Disaster Recovery

We maintain comprehensive business continuity and disaster recovery capabilities:

• Real-time data replication across multiple geographic locations
• Recovery Time Objective (RTO) of 4 hours for critical systems
• Recovery Point Objective (RPO) of 1 hour for critical data
• Regular disaster recovery testing and drills
• Documented and tested business continuity plans

12. Access Controls

We implement strict access controls to ensure that only authorized individuals can access sensitive systems and data, and only to the extent necessary for their job functions.

12.1 Principle of Least Privilege

All access is granted based on the principle of least privilege—employees receive only the minimum access rights necessary to perform their job functions. Access rights are regularly reviewed and revoked when no longer needed.

12.2 Multi-Factor Authentication

All access to sensitive systems requires multi-factor authentication (MFA). We support:

• Hardware security tokens (FIDO2/WebAuthn)
• Time-based one-time passwords (TOTP)
• Push notifications to authenticated devices
• Biometric authentication where appropriate

12.3 Access Reviews

We conduct regular access reviews:

• Quarterly review of all privileged access
• Annual review of all user access
• Immediate revocation upon employment termination
• Automatic access review triggered by role changes

12.4 Audit Logging

All access to sensitive systems and data is logged with:

• User identification
• Timestamp
• Actions performed
• Data accessed
• Source IP address and device information

Logs are protected from tampering and retained in accordance with regulatory requirements.

13. Monitoring & Detection

Our Security Operations Center (SOC) monitors all systems 24 hours a day, 7 days a week, 365 days a year. We employ advanced monitoring and detection capabilities to identify and respond to potential security threats in real-time.

13.1 Security Information and Event Management (SIEM)

Our SIEM platform aggregates and analyzes security events from across our infrastructure:

• Real-time correlation of security events
• Automated alerting on suspicious activities
• Machine learning-based anomaly detection
• Integration with threat intelligence feeds

13.2 Continuous Vulnerability Management

We maintain a continuous vulnerability management program:

• Daily automated vulnerability scanning of all systems
• Weekly review of new vulnerabilities and patches
• Risk-based prioritization of remediation efforts
• Tracking of remediation progress and SLA compliance

13.3 Threat Intelligence

We subscribe to and participate in multiple threat intelligence programs:

• Industry-specific threat intelligence sharing (FS-ISAC)
• Commercial threat intelligence feeds
• Government and law enforcement advisories
• Card network security bulletins

14. Incident Response

Despite our best preventive efforts, security incidents can occur. We maintain a comprehensive incident response program to ensure rapid detection, containment, and recovery from any security incident.

14.1 Incident Response Team

We maintain a dedicated Incident Response Team (IRT) that includes:

• Security analysts and engineers
• System administrators
• Legal and compliance representatives
• Communications specialists
• Executive leadership

14.2 Response Process

Our incident response process follows industry best practices:

1. Detection & Identification: Rapid identification of potential security incidents through monitoring and alerting systems.
2. Containment: Immediate steps to contain the incident and prevent further damage.
3. Eradication: Removal of the threat from affected systems.
4. Recovery: Restoration of systems to normal operation.
5. Post-Incident Review: Analysis of the incident to identify lessons learned and improvements.

14.3 Communication

In the event of a security incident that affects our merchants or their customers, we will:

• Notify affected parties as quickly as possible and in accordance with regulatory requirements
• Provide regular updates on the status of the incident and remediation efforts
• Cooperate with any investigations by relevant authorities
• Provide guidance on steps affected parties should take

15. Merchant Security Recommendations

While we maintain robust security on our end, security is a shared responsibility. We encourage all our merchants to implement strong security practices to protect their businesses and customers.

15.1 Account Security

• Enable multi-factor authentication on your Zuato merchant dashboard
• Use strong, unique passwords for your account
• Regularly review and audit user access to your merchant account
• Immediately revoke access for former employees
• Monitor your account for any unauthorized activity

15.2 API Security

• Never expose API keys in client-side code or public repositories
• Rotate API keys periodically and immediately if you suspect compromise
• Use separate API keys for production and testing environments
• Implement IP whitelisting where possible
• Always verify webhook signatures

15.3 PCI Compliance

Even when using our hosted payment solutions, merchants should:

• Complete their annual PCI SAQ (Self-Assessment Questionnaire)
• Ensure their website uses HTTPS
• Never log or store full card numbers
• Train staff on payment security best practices

15.4 Fraud Prevention

• Enable 3D Secure for online transactions
• Set up alerts for unusual transaction patterns
• Review transactions flagged by our fraud detection systems
• Implement velocity checks and transaction limits

16. Reporting Security Issues

We take all security reports seriously. If you've discovered a potential security vulnerability or have concerns about the security of our services, please contact us immediately.

16.1 How to Report

You can report security issues through the following channels:

• Security Email: security@zuato.com - for reporting vulnerabilities and security concerns
• General Email: info@zuato.com - for general security inquiries
• 24/7 Security Hotline: Available through your merchant dashboard for urgent security matters

16.2 What to Include

When reporting a security issue, please include:

• Description of the issue or vulnerability
• Steps to reproduce (if applicable)
• Potential impact assessment
• Any supporting evidence (screenshots, logs, etc.)
• Your contact information for follow-up

16.3 Responsible Disclosure

We appreciate security researchers who help us maintain the security of our platform. If you discover a vulnerability:

• Please report it to us before any public disclosure
• Give us reasonable time to investigate and address the issue
• Do not access or modify data belonging to others
• Do not perform any actions that could harm our users or systems

16.4 Response Commitment

We commit to:

• Acknowledge receipt of your report within 24 hours
• Provide an initial assessment within 72 hours
• Keep you informed of our progress
• Notify you when the issue has been resolved

17. Contact Information

For questions about our security practices, to request compliance documentation, or to report security concerns, please contact us:

For documentation requests such as PCI DSS Attestation of Compliance, ISO certificates, or SOC 2 reports, please contact your account manager or email compliance@zuato.com.