Stax Compliance and Risk Management Practices

Learn how Stax approaches security and risk management, and view our currently held compliance certifications and attestations.

PCI-DSS 3.2

Stax has a PCI Service Provider Attestation of Compliance, and Stax helps you meet the PCI-DSS requirements.

This enables customers to use Stax as a supporting system for PCI compliance.

Control Environment

The Stax Control Environment is governed by an organizational structure that is divided into individual business functions and led by an independent Board of Directors. Employees operate in accordance with a Code of Conduct and simultaneous Human Resource processes are in place to acquire, retain and reward Stax personnel.

Communication and Information

Stax adopts a transparent and detailed communication and information process. Internally, all organization objectives, strategic direction, polices and other topics of importance are communicated to employees regularly by the Board of Directors and senior management. Information is stored and made available for general use by personnel. With regards to the Stax product, multiple channels are available for customer communication, incident management and commercial discussions.

Risk Assessment

Stax undertakes regular risk assessments which are reviewed and approved by the Board of Directors and senior management. Risk appetite is determined at the executive level and a risk framework is in place to detect, report on and remediate risk. Similarly, security controls and training are utilized as protective mechanisms against the risk of unauthorized access as well as internal and external fraud.

Monitoring of Controls

Vulnerability management and monitoring processes are embedded within Stax to ensure products, services and devices are compliant and secure. Vulnerability scanning is conducted regularly, and Penetration testing is performed annually, and segmentation testing performed every six months. Remediation of vulnerabilities is performed in accordance with the Stax Incident Response Plan. Senior management and the Board of Directors are notified of critical incidents when appropriate via internal communication channels.

Control Activities

Stax has established control activities relating to the mitigation of risk and the management of technology, both of which are enforced by policies and procedures that Stax personnel follow. Policies and procedures ensure capacity, Service Level Agreements and security incidents are managed in-line with business and customer expectations from a legal and contract binding standpoint.

Logical and Physical Access Controls

Stax infrastructure is hosted by AWS and logical access to these environments is restricted to authorized personnel. The data in these environments is encrypted and audited using AWS native services. Internally Stax uses a Zero Trust Network solution that incorporates Endpoint Detection and Response, Vulnerability and Patch Management, Multi-factor authentication and micro-segmented Network Access Control. Onboarding and offboarding of personnel and their devices is undertaken in accordance with a defined set of policies and procedures.

System Operations

Operational procedures and monitoring tools detect and alert on configuration changes, malicious activity, and vulnerabilities within the Stax environment. The Stax Security Incident Response Policy ensures that the appropriate incident response activities occur in case of an incident and that the appropriate personnel are notified.

Change Management

Stax adheres to an agile change management process that encompasses the entire development and release lifecycle. Change is subject to quality assurance, peer review and approval before being released into production. All change is documented and prioritized based on capacity, necessity, and strategic direction.

Risk Mitigation

Stax utilizes risk mitigation strategies for any risk that is identified under the Stax risk framework. The security posture of third-party vendors and services is scrutinized to ensure Stax is not subjected to external vulnerabilities. A risk assessment is performed annually.

Additional Controls for Availability

Stax leverages AWS services to provide high availability for the Stax product. Further to this, Stax performs nightly automated snapshots of core databases and 24x7 monitoring is in place to ensure any degradation of system performance is detected and remediated as early as possible. Stax maintains an incident response procedure that personnel follow in the event of an incident.

Additional Controls for Privacy & Confidentiality

Due to the nature of the Stax environment, Privacy & Confidentiality controls are expected to be employed by the customer. Stax does not access private or confidential customer data, outside of the data stipulated within the Stax Privacy Policy. It is the customer’s responsibility to securely store, transit and manage their data within the Stax environment.

Acknowledgement of PCI Service Provider Responsibilities

As a PCI-DSS service provider, the Stax team acknowledges our shared responsibility to the extent that it could impact the security of the customer’s cardholder data environment. For further information please consult the Stax PCI Responsibility Matrix.