RunSignUp Demonstrates Continued Commitment to Secure Data and Transaction Processing with new Leadership Role

The Electronic Transactions Association (ETA) announced today the launch of a new Payment Facilitator Committee, with Kevin Harris (RunSignUp Chief Finance and Operations Officer) taking the role of Vice-Chair. ETA Press Release: http://www.electran.org/publication/transactiontrends/eta-announces-new-payments-facilitator-committee/

As noted in the release, the committee “will serve as a resource within ETA as the established, valued experts on payment facilitators, enabling deeper discussions on emerging industry challenges and assessing opportunities. The committee will also serve to consider public policy matters that may affect this constituency.”

As one of only a few hundred registered payment facilitators RunSignUp has taken steps as a company to meet stringent security, banking, VISA and MasterCard processing rules to become an authorized intermediary (Payment Facilitator) between credit card holders (registrants) and races . As such, when transactions are settled for your race, the race proceeds are held in escrow for your benefit with our back end credit card processing company. Funds transfers to you happen accurately and on time by either ACH or check, based on the frequency of payment that you request.

We became a payment facilitator to ensure that we were complying with financial rules and because we think it is the best way to handle your funds. It addresses the need to be able to quickly onboard smaller sub-merchants and allows businesses like RunSignUp to enable commerce between the buyers and sellers of services. We are pleased to see this secure form of online commerce grow and are proud to have one of our employees take a leadership role in shaping the industry.

Becoming a Payment Facilitator and recently achieving PCI Level 1 compliance are key pieces to our secure data and transaction processing. You can read about all the ways that we keep your data private and secure here.

A few things to look for in evaluating data security and transaction processing in a race technology provider:

  • Does the provider have secure, scalable technology?
  • Are they PCI Level 1 compliant with independent auditors?
  • Do they keep your race funds separate from the funds that they use to operate their business?
  • Do they have a privacy policy for how they will collect, store, and share data?
  • Will they use participant data to market or sell unrelated events, subscriptions, or other items to your race participants?
  • Do they have a proven track record in the industry?

Security Updates – Dirty COW

Screen Shot 2016-11-09 at 8.03.43 AM.pngWe have installed the patches for the “Dirty COW“, the privilege escalation vulnerability in the Linux Kernel. They even have a logo for it.

The AWS patches are here. If you use other systems that run on Linux, you should check to make sure these changes are made:

https://alas.aws.amazon.com/ALAS-2016-757.html

https://alas.aws.amazon.com/ALAS-2016-758.html

http/2 Support

fast-ron.pngWe have been doing a lot of infrastructure improvements over the past couple of months as a part of our PCI Level 1 Certification.  That is the highest level and requires extra measures of auditing and security and scanning, including a week onsite visit by a Qualified Security Assessor. Unfortunately most of that is stuff we can not talk about.

The one thing we can do is talk about the http/2 support that Amazon CloudFront has recently released and we are rolling out. http/2 is a major upgrade to base protocol between browsers and websites.

While there is a lot of complex technology, the simple result is that pages will load faster and response time will go down even further (that’s why we put the “Fast Ron Synup” image on this blog). Remember, fast websites are among the most important metrics that keep people on your race website and get them thru registration completely.

Security Patch

Screen Shot 2016-07-14 at 6.51.20 PMWe updated our site with this security patch – https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/.

Other webmasters may want to run the free Qualys SSL scanning tool to check their grades – https://www.ssllabs.com/ssltest/index.html. Users can also check out their most common websites as well (proud to say RunSignUp beat the bank I use :-))

ImageMagic Security Hole Fixed

A security hole was reported in ImageMagic, a tool that many websites including RunSignUp use for image resizing and processing. We learned of this issue yesterday and have updated the site with fixes last night. We did not detect any breaches as a result of this hole.

You can read more here and here. If you know of other sites that do image processing, make sure they know of this issue.

Secure Information Option

We have added the ability to collect Social Security Number, Drivers License and Passport as highly secure options to race registration. This was done at the request of a race held on a military base, but may be useful for other purposes as well (such as border crossing races that might require Passport numbers).

The data is stored in our database using 4096-bit RSA encryption.  We generate a “Private Key” for the race – it is the only key that will unlock the data. This means that no one else, including the administrators of the database at RunSignUp, can decrypt the data. If the race loses the key, the data cannot be decrypted and is lost forever.

The setup is under Race > Registration > Sensitive Information Collection.  Only RunSignUp can enable this feature for races.

Screen Shot 2016-01-13 at 10.06.42 AM.png

Once enabled, the race must set up their private key:

Screen Shot 2016-01-13 at 10.08.02 AM.png

Once the private key is set up, the following form will show.  NOTE – THIS IS THE ONLY TIME YOU WILL SEE THE PRIVATE KEY. You need to copy it into a secure place – we recommend a password protected document. THIS IS THE ONLY KEY THAT WILL UNLOCK THE DATA!

Screen Shot 2016-01-13 at 10.08.59 AM.png

Once you copy the Private Key and close the pop-up, you will then select which data elements you want to ask for from registrants on a per event basis:

Screen Shot 2016-01-13 at 11.04.06 AM.png

What Participants See

Participants are asked for the data when they register. The Social Security number is validated as a 9 digit number. The fields are set as required and must be filled in.

Screen Shot 2016-01-13 at 11.05.57 AM.png

Downloading Data

The “Download Participant Data” button downloads all data.  The user will see this popup, where they will need to enter their private key – yes that long string of numbers and characters. If filled in properly, then you will get a CSV spreadsheet download of the data. Make sure you properly protect this file and the data, as it is your responsibility.

One of the ways that you can keep this secure is to grant access to just this page for the Security Agent who is assigned to review the data. Then give them the Private key for them to download the data and do the background checks.

There is the ability to reset the private key. If the private key is reset, all previous data is lost – you will NOT be able to go back and retrieve any of the previous data.