Security Policy for Credit Card Data Transmission
Version: 1.1 | Last updated: July 1, 2025
1. Purpose
To protect the confidentiality and integrity of credit and debit card information processed on CariBid, from the moment the user enters it until the transaction is settled by our payment provider.
2. Scope
Applies to all payment operations conducted on CariBid domains (production and testing environments), including public auctions, private auctions, and batch transactions.
3. Security Controls Implemented
| Layer | Measure | Practical Application |
|---|---|---|
| Transport | TLS 1.3 + mTLS | All data travels encrypted; our APIs mutually authenticate with the payment provider. |
| Tokenization | Gateway secure vault | The PAN is converted to a non-reversible token; future charges are made only with that token. |
| No PAN/CVC storage | Volatile memory | Sensitive data is discarded upon operation completion; not stored on disk, databases, or logs. |
| Authentication | JWT + Internal MFA | Each backend invocation carries a signed JWT; staff requires MFA and explicit role assignment. |
| Validation | Luhn algorithm and business rules | PAN structure and field coherence verified before any transmission. |
| 3-D Secure | Verified by Visa & Mastercard ID Check | Flow enabled and logos displayed on Home, Security Policy, and Checkout according to brand guidelines. |
| Continuous monitoring | 24/7 SIEM | Detects fraud patterns, unusual geographies, and excessive attempts. |
| Auditable records | No sensitive data | Only tokens, last 4 card digits, and necessary metadata are stored. |
4. Regulatory Compliance
- PCI DSS 4.0 aligned design: Architecture and processes built to comply with the 12 requirements; formal certification is in progress.
- Quarterly ASV scans and annual external penetration testing.
- GDPR and Law 172-13 (DR): Rights of access, rectification, portability, and deletion guaranteed.
- 3-D Secure 2.2: Strong cardholder authentication according to EMVCo.
5. User Responsibilities
- Keep your credentials secret and activate 2FA when available.
- Make payments from trusted devices and networks.
- Immediately notify any suspicious activity.
6. Incident Management
- Immediate detection and containment through automated alerts.
- Notification to affected users, issuing bank, and regulators according to regulations.
- Forensic analysis without interrupting active auctions.
- Post-mortem report and corrective actions.
7. Policy Updates
This policy is reviewed at least every six months or upon significant regulatory/technological changes. The current version is always published in the "Security Policies" section of our site.
8. Security Contact
Dedicated email: security@caribid.com
9. Acceptance
By using CariBid services, you acknowledge and accept this Security Policy, as well as your commitment to follow the best practices described herein to protect your financial information.