Security Best Practices and How Recurly Supports You
The Internet and the digital world have brought immeasurable benefits to the world at large and transformed nearly every aspect of how we live and work. Unfortunately, in tandem with this evolution unscrupulous elements have emerged, intent on hacking into systems and stealing data for any number of nefarious ends. No entity is completely safe from the risk of hackers, viruses, malware and other weapons that attempt to compromise our systems.
Recurly would like to take this opportunity to remind our customers about some best practices they should follow to protect their systems and data. And we want to outline what we do to ensure the security of your data and the stability of our systems.
Security and Compliance
Recurly maintains a highly secure environment for our customers. Our environment exceeds the security practices and mandates that are imposed by the payment industry. As a merchant service provider, we are PCI Level 1 and SSAE16 SOC 1 Type 2 compliant. We also maintain a highly available, N+1 redundancy throughout our entire infrastructure stack.
The redundancies we’ve built into our infrastructure meet our customers’ needs for a stable, scalable and secure environment which supports large numbers of transactions, high volumes of customers, and differing levels of business complexity, including those customers in “high-velocity" businesses.
Two-Factor Authentication (2FA)
For enhanced security, Recurly customers have the option of enabling two-factor authentication. In addition to a password, users must supply a verification code which is sent to their cell phone or email. This ensures that only intended users can access their account.
This feature is strongly recommended for users with administrative access to Recurly. We also recommend that our customers institute policies and procedures to regularly review their user lists to confirm who has enabled 2FA and to encourage those who are not using it to do so. This should be done monthly. New-hire procedures should also ensure that anyone given access to Recurly is guided through how to enable 2FA.
To learn more about 2FA, read our documentation.
The ability of Recurly Administrators to setup and manage different user roles and permissions adds another layer of security by granting only the level of access a user needs. The five permission groups are named to reflect the area of the Recurly application to which the user has been given access: Customers, Reports, Configuration & Integrations, Developers, and Admin. Read-Only access to the Customers section of the application is also provided. Recurly recommends that Administrators regularly review and update user permissions to ensure that they reflect up-to-date access needs.
Updated Email Addresses
It’s also a good practice to regularly confirm which email addresses you have associated with your Recurly site and to update these email addresses as needed. This way, you can be sure the right people receive notifications whenever another site administrator makes a key configuration change to your site.
Best Practices for API Keys
Good management of your API keys is another aspect of your organization’s internal security. We recommend the following as best practices:
- Have a policy to review and update your API keys regularly
- For services that do not write data, you should make their API keys read-only to ensure integrity of the data.
- Treat your API keys with the same care you do passwords:
- Do not share your API keys with services you don't trust
- Do not reuse them for different services
- If you discover an API key has been compromised, change it immediately
To learn more about other best practices related to data and integrations, read our blog.
Our Commitment to Security
As custodians of your data, Recurly takes our obligations seriously. Compliance with industry standards and ensuring the security of our customers’ data are critical aspects of how we do business. We know that our customers rely on our platform to support critical aspects of their subscription business, and we are constantly working to make sure that we provide the highest levels of security and stability.
To learn more about Recurly, sign up for a demo below.