Security

Security is one of the biggest considerations in everything we do. If you have any questions, or encounter any issues, please contact us at [email protected].

PCI

White is certified to PCI Service Provider Level 2.

SSL

White forces HTTPS for all services, including our public website. We regularly audit the details of our implementation: the certificates we serve, the certificate authorities we use, and the ciphers we support.

Encryption

All card numbers are encrypted on disk with AES-256. Decryption keys are stored on separate machines. None of White’s internal servers and daemons are able to obtain plaintext card numbers; instead, they can just request that cards be sent to a service provider on a static whitelist. White’s infrastructure for storing, decrypting, and transmitting card numbers runs in separate hosting infrastructure, and doesn’t share any credentials with White’s primary services (API, website, etc.).

Disclosure

We rapidly investigate all reported security issues. If you believe you’ve discovered a bug in White’s security, please get in touch at [email protected] (optionally using our PGP key at the bottom of this page). We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by White.

Thank you for helping keep White, our users, and their customers safe!

PGP

Our PGP key is below. You can use this key to encrypt your communications with White, or verify signed messages you receive from White. (Unfamiliar with PGP? Have a look at GPG, and start by importing a public key.)

Key ID: 0DF9E7F6
Key type: RSA
Key size: 2048
Fingerprint: B9CD EE6D 0D82 AFEC 1B7F 1511 926A D7AF 0DF9 E7F6
User ID: [email protected]