At PayWhirl, security is at the heart of what we do everyday. The entire PayWhirl website, including embedded portals, widgets and the API are all served over SSL with TLS 1.2 encryption with a certificate issued by DigiCert (the same SSL provider Stripe, PayPal, IBM, facebook and other reputable companies use).
All credit card and bank related data is tokenized on the client side by secure libraries before being posted to our servers so sensitive data never comes into contact with the backend of our application.
In a nutshell, we use PCI compliant methods to store customer card data directly with your payment gateway (Stripe, Braintree, etc.), so no payment methods are saved on our servers. All credit cards, debit cards and ACH account numbers are tokenized and vaulted directly with your connected gateway, who are all PCI Level 1 certified.
If you inspect any PayWhirl widgets, buttons, or iFrames in your browser you will notice that ALL PayWhirl URLs begin with "https" and this indicates a secure connection with our servers.
Even your custom subdomain (company-name.paywhirl.com), which is used for your your customer portal and other widgets is served over SSL to ensure encrypted communications are always used.
PayWhirl also completes a PCI DSS SAQ A-EP review annually (last completed on 11/11/2018.), which is available upon request. We follow standards set by the PCI Security Standards Council if you'd like to read more about our practices.
PayWhirl's infrastructure is hosted on Amazon Web Services (AWS) and they provide SOC 1, SOC 2 & SOC 3 reports annually, which are also available upon request.
If you have any specific questions or concerns about security please feel free to contact us at anytime!