USA flag United States  
United States Canada United Kingdom Puerto Rico
Payroc Launches New API Platform and Enhanced Documentation
Contact us
Payroc Design logo We're hiring!
  • Login
    Partner Engage Portal
    Payroc Insights
    Systems
    Payscape Partner Portal MSPWare IQ BillingOrchard FirstView Payscape Registration Access One NPCrm
    Gateways
    Authorize.net Bridgepay Caledon CyberSource eProcessing Network IBX iTransact for Agents
    iTransact for Merchants NMI Payscape Paytrace Slim CD TSYS Transit USA ePay
  • Solutions
    On-the-go-payment Ecommerce Payroc Choice
    Integrations Global processing Partner Marketplace
  • Partners
    Agent/ISO ISV solutions Referral program
  • Support
  • About
    Company history Diversity and inclusion Investor Relations Careers News
    Events Case studies Awards & Press Payroc in the community
  • Developers
  • Login
    Partner Engage Portal Payroc Insights
    Systems
    Payscape Partner Portal MSPWare IQ BillingOrchard FirstView Payscape Registration Access One NPCrm
    Gateways
    Authorize.net Bridgepay Caledon CyberSource eProcessing Network IBX iTransact for Agents iTransact for Merchants NMI Payscape Paytrace Slim CD TSYS Transit USA ePay

Search

Security Disclosure Policy

Payroc greatly appreciates investigative work into security vulnerabilities that well-intentioned, ethical security researchers carry out. We are committed to thoroughly investigating and resolving security issues in our platform and services in collaboration with the security community. This policy defines how Payroc can work with the security research community to improve our online security.

Please note that Payroc currently does not provide rewards/bounties.

We follow the practice of responsible disclosure to best protect Payroc's partners and customers from the impact of security issues. On our side, this means:

  • We will respond to security incidents as a priority.
  • We will address the matter as soon as it is practical, keeping in mind that not all risks are created equal.
  • We will always transparently let the community know about any incident that affects them.

If you have found a security vulnerability within the Payroc ecosystem, we ask that you disclose it responsibly by emailing [email protected] Optionally, if you want to encrypt your email, you can use our PGP key – see the end of this document. Please do not discuss potential vulnerabilities in public without validating with us first.

On receipt, our security team will:

  • Review the report, verify the vulnerability and respond with confirmation and further information requests; we typically reply within 24 hours.
  • Once the reported security bug is addressed, we will notify the Researcher, who is welcome to disclose it publicly.

The following is a list of known issues and things we do not consider to be an issue. Please do not send reports regarding the following:

  • Account squatting by preventing users from registering with specific email addresses
  • Attacks requiring MITM or physical access to a user's device
  • Best practice reports without a valid exploit (for example, use of "weak" TLS ciphers)
  • Clickjacking on pages with no sensitive actions
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Denial of service
  • Disclosure of server or software version numbers
  • Hypothetical subdomain takeovers without supporting evidence
  • Issues that require unlikely user interaction
  • Missing best practices in Content Security Policy
  • Missing best practices in SSL/TLS configuration
  • Missing email best practices (invalid, incomplete, or missing SPF/DKIM/DMARC records, and so on)
  • Missing HttpOnly or Secure flags on cookies
  • Open redirect - unless an additional security impact can be demonstrated
  • Perceived security weaknesses without concrete evidence of the ability to compromise a user (for example, missing rate limits, missing headers, and so on)
  • Previously known vulnerable libraries without a working Proof-of-Concept
  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis
  • Rate limiting or brute force issues on non-authentication endpoints
  • Reports exploiting the behavior of, or vulnerabilities in, outdated browsers
  • Reports of spam
  • Self-XSS
  • Session invalidation or other improved security related to account management when a credential is already known (for example, password reset link does not immediately expire, adding MFA does not expire other sessions, and so on)
  • Social engineering
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (for example, stack traces, application or server errors)
  • Tabnabbing
  • Unconfirmed reports from automated vulnerability scanners
  • User/merchant enumeration
  • Vulnerabilities only affecting users of outdated or unpatched browsers (less than two stable versions behind the latest released stable version)

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBGKWBX4BDADhtCOq8nqsTDkwO1SKzRt/KV5VdQk2j0dMl2mriw0HJctXlUR8 UCbfnUZGjKFVikkUH6F1J9ihy7IubnAGchSnfdNhB+gH0ysAt9yYv/aQ7S1AaU2Z yCuHZsqG7mc66fpt4Qc85iqx/YlkP7pLBAegpFyFt1sjt+6aMHF/dwaOXTWysU3x D0aLhYNqb6Ltk69nAMbmoJtsHrIcA3MFV8bx3JCuLU5ZGlF6426t/l7S4pMl0eLL sSVa13HaN4pkeRMX/2ip5aHF6QAu8XcMBtoaNXoKC+TtLB1mQdrNwbhj4NjGq51q XFb+8o3s/jctB/4M0R1T4Z7Z87CHMYxpRYBURpqXuQcPuTXhsfugmZfJq0pRnNFe +o4IYEpLBYSAMgDu1iCczCcYMQxjhPhKWL6fQPWo6/RdMbgSDppEoGxGCJLUJAYV 82hCp4H+5quAQXtCcPzVp2ktMNEI/PSj1udA95abvIwmWm62husgiV3XlMmR/NUX A/dvhm7vUelgbCsAEQEAAbQcUGF5cm9jIDxzZWN1cml0eUBwYXlyb2MuY29tPokB 0QQTAQgAOxYhBM8Wge79onuWC7DOfpxM7lcFs2FyBQJilgV+AhsDBQsJCAcCAiIC BhUKCQgLAgQWAgMBAh4HAheAAAoJEJxM7lcFs2FyUfwMAKDN+lAi5HU0WepZJca+ ahBnliTSaY8mp4AXhUgW7O16qdINVCNUP1xgFBAB6j6ISmkJRKS/PG7FdVkGNZgH +euMWGUZycsHmj/NEyQWpnQ+5CKcWDD9+OIrT1MSAhjSfJgpf3AUpxychfmi76gM 2Oc5fI8TYDayEkOZ4pj9cMgeuuSK5wJ4T6pf8coCwJxCB39/0lkG9FpcpEpWc3ar PwnKf5EMrUwlWAtUr4xam6hJCZSZdDZbvVxsxjprwtV2HPkBhVRtGZzTP0aB0neC uFix0M5w3KGwodQ1pj9ZNLDRYxx4qDYWh1xpvaMV4ugtm0Hz0jhYnymETCSGvi5r l0jd2Goz9hRMjfoBcfFO7iqWSOYEGJ4hYbNCI0RG/aMHVbX/Pv6mkQ/3vSOF3RHU nAPK2GYiw/Z7WusRU2o1FuAfw4Q+mhXRqCpI1G8T7WaP+tXVQEWr48TVOevOncwa 4v6yt9nTxVTRh9R/ryiWkAsOZPj1NzN8s6Nt1nSu8LaVYrkBjQRilgV+AQwAmtOe vlakjZSJNdD15QI5upWf7twV0x01gpLqfyWG3KsVBQkSmwFDyq/urIkCv2G5pWRY mq9+gHGGnu20rSsuHpZaBVpu7WKrUfOW3rEJe2dJklUn7mV+NglpNDfHuix/OyhB keN68ixDZktKe8tXBcajHHBc3wcqpbQzEhDIcJ67e1zVYupuJ0SvS6CNZrdFp5CX HCe/23Po91zdB97Nt1QEQ76T6WAEsqqEEyOFtnWKUVk/oJC7H3dzeWhVyASLNn4V FeW/9kEkhdSmPPtFNGYOtYpMbMDYGQCkxGqQmJWeD+PQEWS6mU4NQ9pkyyqNDAzU +NnSnnf+VN/pPDEye27AqB+8IKuAXTExq/QRKZGV/dPezyn1eOWFKTXOoyAb6/Ti 8/zGMSjqIvlPPJGH2hhj3bxd/uYbT+KwRDBr6q2rLhqfqwT88bCxi3Ss28s4+I8u Lq0YRaaCmjykIT+qWSudul8mWfACORzWla4rMgqicMJSIE4rQvDjvTDz9gD3ABEB AAGJAbYEGAEIACAWIQTPFoHu/aJ7lguwzn6cTO5XBbNhcgUCYpYFfgIbDAAKCRCc TO5XBbNhco0bDAC0XcAt3++/axhvRbZz6Bb3GfojdWY0/MM2iV8gGyKwi3yjQwHA Cxg/EC+A4sC69gPuWeJHll2o3PWse61/+eqvMqN5oQkivMN61B120pyzEfA9TZEL vg5kIDBbuVXn4FlQwHPaNeBUcfEpVWEAPQKs2UWcKrStabIL+N1vmZJepmVYkmAZ rfdH7E8OaFmlShfO8N150mhQGT9W6Li6MMzRzRWaSNuknSEUqWvimfpjLiiPkdbG mzTKWQ1ZavPdaTWASO50qISFqSgYlcZSJCGgFJc6u4kABZ7LgFCAJc3U8TT8Bj+F jbLcNDytzrupSUFoMm0PDsFqhEXacUM8MBAS4kDNOfv3fqMai6lONDiMfOhaoIll 5bdHQKCoz7qtjI56HauctDvdbGK4v8mTZW3V6tFpInkkh7BJkiNQV1FcWO3hLELF NmBk65fMk0s806xFlsWpU8WVNtB8QQUKVYo/aYZfSeLZZB1dLS9CQk8RoLsyOcZJ lK2yau+ZeM+XxvM= =Z0Yb

-----END PGP PUBLIC KEY BLOCK-----

Solutions
  • In-person payment
  • On-the-go-payment
  • Ecommerce
  • Payroc Choice
  • Integrations
  • Global processing
  • Partner marketplace
Partners
  • Agent/ISO
  • ISV solutions
  • Referral program
About Payroc
  • Company history
  • Diversity and inclusion
  • Careers
  • News
  • Events
  • Case studies
  • Awards and Press
  • Payroc in the community
  • Our team
Payroc logo

Payroc is a registered Independent Sales Organization (ISO) of Fifth Third Bank, N.A., Peoples Trust Company, Vancouver, Canada, Wells Fargo Bank, N.A., Concord, CA., and Wells Fargo Bank, N.A., Canadian Branch, Toronto, ON, Canada. Payroc is a registered Encryption Support Organization (ESO), Payment Facilitator (PF), Third-Party Servicer (TPSV), Merchant Service Provider (MSP), Third Party Agents (TPA) of Fifth Third Bank, N.A.

  • Linkedin
  • Instagram
  • Facebook
  • Twitter

Copyright © 2022 Payroc

Payroc reviews
  • Acceptable use
  • Merchant terms + conditions
  • Privacy policy
  • Terms of use