B2B2C ecommerce platform with SOC2 compliance

PCI Compliance 

eComchain is a platform that integrates with various payment solutions and credit card platforms. Hence to reduce the risk of debit and credit card data losses due to potential data breaches, PCI compliance is of utmost importance to provide a secondary layer of protection for both our payment merchants and cardholders. eComchain’s clients from various industry verticals ranging from manufacturing to retail gain their confidence on the platform through its professional security coverage with AlertLogic that provides intrusion detection system and lock management.

The Payment Card Industry (PCI) data security standard and its associated compliance artifacts provided through eComchain’s AlertLogic dashboard safeguards any kind of online transactions, protecting them against identity thefts. The various components of the PCI compliance to guard the public facing applications against all the payment threats and vulnerabilities include:

• Web Application Firewall (WAF) deployments securing all the traffics and incidents with various levels of logging through root or administrative privileges
• Validation of logical access attempts and enhanced authentication mechanisms
• Verification of all monitoring based audit logs, creation and deletion of system level objects
• Timely detection and reporting of critical security control system failures

The PCI vulnerability scans are performed to verify that all the “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability rankings. These vulnerability reports are also officially assessed every quarter by qualified personnel as a part of eComchain’s System and Organization Controls (SOC) compliance. AlertLogic attests that the eComchain PCI scan process follows a strict manual or automated quality assurance process with customer boarding and scoping practices and review of results for anomalies, and review and correction of disputed/incomplete results and false positives. It also includes compensating controls (wherever applicable) and active scan interference.

PCI scans can be performed on a need basis on eComchain’s AlertLogic dashboard by pointing the scan-end-point to the required IP address. This is very useful to make sure that the platform hosting the required client storefront remains PCI compliant at all times irrespective of any new changes, patches or updates to the system or the website.

 

SOC 2 Type 2 Compliance

eComchain is a one stop B2B2C eCommerce platform with various pre-integrated components for payments, shipping, backend ERP etc. With so many moving parts and multiple layers of options for integrations and customizations on the same platform, it becomes equally important to elevate our clients’ confidence by safeguarding their data with essential System and Organization Controls (SOC) compliance.

eComchain successfully completed its SOC 2 Type 2 readiness assessment through an external auditor ‘A-Lign’ during Q1 2020 for its eCommerce SaaS cloud services in accordance with the 2017 Trust Services Criteria (TSP Section 100) regarding common criteria/Security. This was performed with a view to showcase eComchain’s capability to securely manage the client’s data and its privacy, thereby protecting the organizational interests.

One of the main components of the SOC2 Compliance for Security is the ability of any organization to meticulously analyze its platform’s vulnerability scans for avoiding, mitigating, transferring and accepting the risk posed by any identified vulnerabilities. This is called the Center for Internet Security (CIS) benchmark for baselining the best practices for securely configuring a system. In the case of eComchain, this is being successfully followed and 100% compliant on the Amazon Web Services (AWS) server platform on which eComchain is hosted. The CIS scans are run regularly on the eComchain environment for scanning through the various system security components including Identity and Access (IAM), logging, monitoring and networking.

 

Other core components of the SOC2 Compliance includes access control, system operations, third party incidents, risk, data management, organizational management and change management.

SOC 2 Type 2 compliance process has helped eComchain to significantly distinguish itself from its eCommerce competitors in the market by effectively assessing the design of the platform’s internal controls supporting the eCommerce services and proactively redesigning the organizational policies, controls and procedures towards achieving a truly secure and compliant eCommerce platform.