You’ve probably heard about the Heartbleed SSL vulnerability that is compromising secure Internet communication worldwide.
If you’re concerned about your PaySimple account, don’t worry– PaySimple systems are NOT AFFECTED by Heartbleed.
If you haven’t heard about the threat, or have simply heard the name but not the details, here are the key points:
The Heartbleed Threat
Heartbleed allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of OpenSSL software. This means that even if you see an “https” in your browser url bar, and even if you see the lock icon, you cannot be assured that the personal information you submit over the web—such as credit card numbers, bank account numbers, passwords, etc.—is safe from hackers and other malfeasants.
Heartbleed only affects systems running the OpenSSL implementation of SSL and TLS, the protocols used to implement secure Internet communication—the “s” in https. OpenSSL is typically found on servers running Apache and nginx. Apache accounts for 52% of servers in operation today and nginx 14%, which is why this vulnerability is so concerning. (See Troy Hunt’s post Everything you need to know about the Heartbleed SSL bug for a great discussion of how systems are affected by Hartbleed.)
PaySimple Systems ARE NOT Affected by Heartbleed
PaySimple production and sandbox systems use Microsoft servers running IIS and using Microsoft’s Security Support Provider Interface (SSPI) API to implement SSL and TLS protocols for secure “https” communications. To be extra safe, we have scanned all of our production and sandbox systems to be sure that no instances of OpenSSL exist in our environment. They do not!
So, you can rest assured that your personal information and your customers’ personal information has not been affected by Heartbleed, and that it remains safe and secure in PaySimple’s PCI Compliant systems.
What You Should Do
Heartbleed has affected many large sites such as Yahoo, Facebook, Google and Amazon Web Services, and has affected many smaller sites as well. Unfortunately, due to the nature of the bug you may never know if your personal information has been compromised. However, to be safe you should change passwords on all affected sites, but only after you have been notified that they have been fixed. According to the New York Times post on Heartbleed, many sites have already installed the fixed version of OpenSSL and closed the hole, but others are still working on the problem. So, before changing your password wait for a communication from the site, or look for a notice stating that the system has been patched.
Additionally, you should continue to adhere to best practices for preventing identity theft such as monitoring your bank accounts and credit card statements for activity you do not recognize, and checking your credit reports at least annually. (See this post for tips on how to do that for free.)
If you have questions about the security of your PaySimple account, or about security best practices in general, please don’t hesitate to contact our Customer Care team. They are happy to help.