World-Class Security

Recurly is PCI-DSS Level 1 compliant, a standard that specifies best practices and various security controls. Cardholder data is sent directly to Recurly to minimize risk to your business. Recurly provides a secure environment that goes above and beyond industry security standards and guidelines.

All organizations processing credit card information, regardless of their deployment model, are required to be certified. Your merchant bank account requires your business to be PCI compliant, and Recurly helps you meet those requirements.

Sensitive information is stored using several layers of encryption in a segmented network with no public internet access. New encryption keys are generated on a daily basis, and existing keys are rotated on a regular basis. Sensitive information is encrypted by an SSL connection when in transit over public networks with SSL connections using TLS v1.2 or above.

Recurly application development follows industry-standard secure coding guidelines. Application is segmented by function to maintain security.

Recurly is hosted in a dedicated hosting environment with 24x7 security. Physical access to the network is strictly limited and monitored. Private networks are strictly segmented according to function. Restrictive firewalls protect communication entering the network and between private networks. All access to Recurly's network and services is strictly logged. Audit logs are reviewed on a regular basis. Internal and external network penetration tests are performed on a regular basis by third-parties. Two-factor authentication and strong password controls are required for administrative access.