Security, compliance and data protection
At Edenred, technology is an important part of our business. As we continue to improve and expand our products and services, our security procedures are more important than ever.
PCI and SOC 2 Type II
Edenred complies with the highest standards of data protection in the world.
PCI
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the card brands.
Edenred is a PCI-certificated company with the highest standard of controls and certified procedures for cardholder data.
SOC 2 Type II
The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing and transfer of data.
Edenred operations and procedures are audited regularly to ensure Edenred meets and exceeds all standards expected of service providers. We are compliant with SOC 2 to ensure your data is protected, available and secure.
Edenred complies with the California Consumer Privacy Act and GDPL
Learn more about Edenred’s corporate security practices
Network device management
Edenred IT staff owns and is responsible for the network infrastructure, including all developmental activities as well as enhancements to the infrastructure. Designated employees of Edenred IT staff are the only individuals authorized to connect or disconnect network devices to the network. Users do not extend or re-transmit network services in any way. This means users do not install routers, switches, hubs, or wireless access points to the network without Edenred IT Management approval.
To properly diagnose network problems, avoid duplicate addresses, etc. Edenred IT staff are responsible for and administer connection-related protocols for all devices on the network. In addition to registering all workstations, any devices that connect to the network such as laptops, printers, hubs, or instruments are registered. Conversely, Edenred IT staff is aware when networked devices are removed from service so their registrations can be cancelled.
Software development life cycle procedure
Managing sensitive information in our system
- During the project initiation phase, Edenred identifies all the sensitive information e.g. Credit card information, ACH information, Debit card information.
- Edenred establishes processes to store the sensitive data encrypted.
- Edenred establish processes to securely transmit sensitive information.
- Edenred establishes processes to grant access to secure information.
- Edenred’s Information Security Manager and the Chief Information Officer review/approve all processes.
Code compilation
Code is compiled using .NET framework and set the warning level to the highest standards.
Security awareness and training
The security and stability of the information systems are vital to daily operations. An awareness and training program for all staff is critical to achieving and maintaining an effective information security capability. Information security awareness, training, and education improves employee behavior and accountability, and reduces the risk of unauthorized activity.
All employees and contractors complete Information Security training upon hire and subsequently at least annually. The Information Security training required for all employees and contractors covers identification and reporting of suspicious activities relative to incident response.
All employees sign an agreement stating that they understand all Edenred Information Security Policies including the Edenred Acceptable Use Policy and that they shall abide by them. This training is be completed prior to any user being granted access to any information system. Users undergo security awareness training prior to be granted access in any capacity to PII, PHI and/or CHD.
All information security-training activities are adequately documented, and individual training records are retained for at least three years.
Information protection and flow
Information systems storing, processing, or serving confidential data as defined by the Information Classification, Labeling and Handling Policy are secured with logical and physical access controls. Physical access controls are used to restrict access to hardcopy internal and confidential information.
Logical access to electronic information are granted only with written approval by the employee’s are used to restrict physical access to information systems storing confidential information including restricting physical access to the office facility itself.
Hardcopy information classified as confidential are protected by physical access controls for the office facility. Confidential information are stored in locked cabinets when not in use especially outside of office hours. Locked offices do not provide sufficient protection as cleaning and/or facilities maintenance staff may have access locked offices. Confidential information is not copied or faxed from equipment not owned and/or operated by Edenred.
Vulnerability and patch management
Due to the importance of the confidentiality, integrity, and availability of Edenred systems and information, all Edenred IT staff are proactive in implementing security measures designed to reduce any risks that might result in impaired productivity, increased costs, or damage to its business reputation due to malfunctioning system components or system components with security vulnerabilities. To ensure the security of the network and protect the Edenred’s data, all computers and network devices are maintained at vendor supported levels and critical security patches are applied in a timely manner consistent with an assessment of risk