For secure payment we use Braintree by PayPal.
Prohibited Data Storage
Braintree never store raw magnetic stripe, card validation code (CAV2, CID, CVC2, CVV2), or PIN block data. Storage of this data is prohibited by the PCI DSS.
Cardholder data is stored using one of the most advanced encryption methods available. Braintree uses multiple encryption keys which are stored on different physical servers. A data thief would not be able to make use of information stolen from a database without also having the key. The data store where cardholder data is kept cannot be connected to via the internet.
Authentication and Session Management
Braintree requires all users to authenticate each time they use the application and inactive sessions time out after 15 minutes. Passwords are never stored directly in the database, but are salted and hashed using a slow hash function to increase security. In addition, all communication between merchants and Braintree is conducted in a secure fashion using TLS (Transport Layer Security).
Braintree has high redundancy onsite and offsite. Onsite data is mirrored on individual servers using RAID and is also hot synced between servers. Data is also encrypted and backed up off site with an undisclosed third party.
All activity by Braintree’s users or internally by their employees is extensively logged in a tamper-proof fashion. In addition to having a Web Application Firewall, Braintree engages in the practice of extensive internal code reviews of all the software which they develop.
At least quarterly, Braintree conducts automated vulnerability scans. In addition, at least once a year, Braintree has extended external penetration testing conducted by outside sources.