ShowClix Security Guide

PCI Compliance and Payment Handling

  • Compliant with PCI-DSS 3.2.1 Level 1 as both a Merchant and a Service Provider.
  • Registered with both Visa and MasterCard as a PCI-compliant Service Provider.
  • Annually audited by a Qualified Security Assessor (BDO USA, LLP).
  • Passes internal and external application and network penetration testing performed by Cadre.
  • Scanned daily by an Approved Scanning Vendor (ASV), Tenable.io.
  • PCI Attestation of Compliance (AOC) and Quarterly Scan Attestation of Compliance are both available upon request.
  • Credit Card data are never stored by ShowClix.
  • Where possible, ShowClix utilizes credit card tokenization for minimizing risk related to cardholder data.
  • ShowClix provides organizers with the ability to opt into using EMV with point-to-point encryption (P2PE) for payment processing.

Privacy

  • We do not sell personal information of our customers to third parties.
  • We have a full time staff focused on privacy and security issues.
  • We participate in and comply with the EU-U.S. Privacy Shield Framework. You can find out more about our commitment to the EU-U.S. Privacy Shield Framework in our EU-US Privacy Shield Notice.
  • ShowClix processes user personal data in accordance to GDPR’s data protection principles and has appointed a Data Protection Officer to oversee our GDPR compliance.
  • You can find our privacy policy at: https://www.showclix.com/privacy.

Hosting Environment

  • ShowClix uses carrier grade data centers that meet the following certifications:
    • PCI-DSS Level 1 Service Provider
    • SOC 1 Type II and SOC 2 Type II
    • ISO 27001

Software Development

  • All ShowClix software engineers receive software security training that covers security best practices including covering OWASP Top Ten as well as Mobile Security best practices.
  • ShowClix uses static code analysis tools to analysis code for security vulnerabilities.
  • All ShowClix source code is developed in accordance with a standard SDLC process that includes
    • A software and security code review before being shipped to production.
    • Running through a continuous integration test suite.
    • Manual QA testing.

Encryption

  • All web traffic is encrypted by TLS 1.2 or greater.
  • ShowClix follows NIST recommendations for hashing, symmetric and asymmetric encryption.

Organization

  • All staff regularly receives security training by trained professionals and must pass security quizzes testing their security awareness.
  • All staff regularly receive simulated phishing tests.
  • All staff must sign off on security and acceptable use policies and procedures.
  • All staff are subject to detailed background checks.

Responsible Disclosure

  • If you discover a vulnerability, ShowClix requests that you responsibly disclose the vulnerability to our security team by taking the following steps.
    • Do not attempt to exploit the vulnerability
    • Email our Security Incident Response Team at sirt@showclix.com
    • If the contents of the vulnerability are sensitive in nature, please use our PGP key, below
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFvsl3YBCADHDzFugiI+z6YaIdtHoMixXGWEZOLPphajegOYq5Klt4c/CyRW b0G1pq0Pvrc5cazk6pJwGi5CDp8Rlrpj9XvnIgdMXCSIxU9NnMpBJcjttg3xC61Z r9o0NtU69wybec5lMFD8+01EERPfxgsobiS2udOFykq/eq5Qg6T/0Fpdz5TydXmr NQlwL8VBs7+ombBkl1RTsW6swvlNtVenuqIqMXPh+L9zwWn2HJ9K2MKXlr3NA131 aNTtAlwCmwhu68YFjRC6RKR/k/G5Jke1ZEkAzxoqNfxA7HsqnvwoCiclM4fzfV1I dAAkPKqYXJvHfrV3MZ6GuJh6NERsabP4gM45ABEBAAG0P1Nob3dDbGl4IEluZm9T ZWMgKFNob3dDbGl4IEluZm9TZWMgVGVhbSkgPGluZm9zZWNAc2hvd2NsaXguY29t PokBTgQTAQgAOBYhBPX6uZKlIMrcnp0277BE711QQQEbBQJb7Jd2AhsDBQsJCAcC BhUKCQgLAgQWAgMBAh4BAheAAAoJELBE711QQQEbUJgIAKztvf24EP6Xq4MnfUMj roqJNwvglWN+40z6OWgSylZAC2nAxt5IF0Im9xooyJRO/TSXKUTPn1Q2/O8pgdV0 zcrClWwwR94SLuJjlsWMRnqw0b0I7LhVW2HsoPloMN6uLnlml4YcJYDTlvG0Rxq4 f0V05ESwY2GasVa0z4UVpqjJAwiuCgfevVVxZSuDABDqH2YC+pwL/z6MY+QPFVSF Za3tOvjR2PV0XWi3nmFqFuaKJUBs0q0p7ZxdsQAki+AP9OcB0z23pcvm7KmJJgK/ i3RQzbhK7Y5yU+Yjxa91SFzl0bfbXkHuxp+cC42NJNPiVv6GKbqe0InXyNuNLyOu okS5AQ0EW+yXdgEIAKNczVT0MXU4blLnKT6hT8It2GzDrAyiwCnMSbX2VpvuHTpR CwO3QLKmraPg4t2SYz00cPigGl/zTGFCqBjpCR7+HyTQRv+O+EjVUUPaDjYMpAY3 +dJPcFd1k3l+1uJ1Hqf282/ejhW3YD4EukJuOGuHZsFSdEv4qfOYGNS/uBT4Z0UK sPCvr4WpurLrwYYTcsmLYSrdGtgXMmN8B1S4+oydpyJbsucmp5bwRbs0n3my9qzQ RiVDvt0VD40bfJYJja+xiK4vS2dwra5ANYzegYyAyQqNMSOON3X2cmKo3f3f/nKd k/t1tquT2krMN5/9hUJemeKrIrZIvdOOD53Jqw8AEQEAAYkBNgQYAQgAIBYhBPX6 uZKlIMrcnp0277BE711QQQEbBQJb7Jd2AhsMAAoJELBE711QQQEbbl0H/AsUk7hN mKVXafHQXXANUr5dC7ZXSrcbg/mrrpvn13dsofdi2BxAelVC8T+HWeZzNuuPScqM 16RWbJG7okBsqpgTQaSOPB4+7c+YIdXGAnibntgbqoQQP7W5StsQfc7Sqeo5ymyU 82vAs9VwvavhKi8dFdDPGHpySBO/fv7iHjCYoGYDoGqICT8cDXKMRmqxSIBwsDfS s55uhHCweXAz4VJ0w+RdxtEVsgnbj5DYmEJ750zMzHUlucI949SiJLdrwrLm97/m 6uIzj7MtmpqGU5mgp9UYs+2k2OohaV0wWeNAbtAdYZh4jTeppnxY45yVc5w6Cwi1 AHk69gzkEbc+UEY= =JZ9q

-----END PGP PUBLIC KEY BLOCK-----