Security, privacy & compliancy

Certifications & licensing

IT Security

Providing an online infrastructure for payments comes with great responsibility. Processing data is an important aspect for this infrastructure. Therefore, ensuring the availability, integrity and confidentiality of our infrastructure is one of our top priorities. This is done in order to ensure the business continuity of DDP and to minimize the risks by preventing security incidents and reducing their potential impact.

Our goal is to be as flexible and fast as possible in terms of delivering services to our -customers, while maintaining the highest standards in security and compliance (Jan Saan, CTO)

The goal of DDP’s Information Security is to protect your informational assets against all internal, external, deliberate or accidental threats. We aim to preserve confidentiality, integrity and availability of your data. This means that your data only should be accessed by those with the rights to view it, the data can be relied upon to be accurate and processed correctly and finally, that data can be accessed when needed.

In order to ensure IT security, DDP takes several measures:

In control

DDP has support personnel on-site 24/7. Our analysts are continuously monitoring security, performance and connections to suppliers and customers from our Network Operations Centre (NOC).

Validate and improve

DDP validates the results of monitoring the data to improve our infrastructure, coding practices, overall security & compliance and the effectivity of our monitoring processes.

Active, not reactive

DDP actively follows relevant changes in legal and compliance requirements, with extensive focus on, for instance, GDPR regulations. More about this can be read below.

Team effort

IT security is a high priority within DDP. Clear security guidelines are available and all employees are briefed on their responsibilities to continuously contribute to this. Furthermore, information security trainings are available for all colleagues.

General Data Protection Regulation (GDPR)

On May 25th 2018, the General Data Protection Regulation (GDPR) will come into effect, replacing current privacy regulations. By then, all companies handling personal data will need to adhere to the regulation and be able to demonstrate their compliance to the GDPR.

As a responsible processor and a responsible controller, DDP has embraced the principles that lie at the base of the GDPR. Moreover, we regularly revisit them to assure our compliance. We have all necessary tools in place to conform to the principle of accountability. Some examples are: a data controller register, data processor registers, and our specific Data Privacy Impact Assessment (DPIA). We follow data privacy principles in the development of all our services.

In addition, we have set up a GDPR compliance roadmap and took corrective actions where necessary. We updated our terms and conditions in April 2018 to comply with the upcoming GDPR and the processing of personal information by DDP. In updating our terms and conditions, DDP ensures that we provide you with a service that is compliant, and takes into account the latest regulations,techniques and functionalities in payments.

A secure and reliable online payment processing system

Your customers’ transactions are safe with CM Payments. We, as collecting payment service provider based in the Netherlands, comply with all safety rules and technologies for a secure online payment system. These safety rules were established by European financial institutions and De Nederlandsche Bank (the Dutch Central Bank). As a collecting payment service provider, we are in possession of following licenses for our online payment system:

Verenigde Betaalinstellingen Nederland (United Payment Institutions of the Netherlands)

The VBIN is the trade association for the payment institutions, electronic money institutions (EGI’s) and companies that, in general, make payment services in the Netherlands their business, such as described in the Financieel Toezicht Wft (Dutch Financial Supervision Act).

Visa Europe

CM Payments is registered with Visa Europe as a Merchant Agent.

Betaalvereniging Nederland (Dutch Payment Association)

The Betaalvereniging Nederland (Dutch Payments Association) fulfils a large number of collective, non-competitive tasks with Dutch payments transactions. The Betaalvereniging (Dutch Payments Association) establishes safety requirements for payment transactions and certifies market parties in the payment chain. It also monitors compliance with the rules and agreements in order to ensure and improve the safety and reliability of payment transactions. The Betaalvereniging (Dutch Payments Association) directs fraud prevention throughout the entire payment chain, establishes fraud statistics, analyses them and formulates a prevention policy. In addition, it coordinate measures to combat fraud.

Thuiswinkel Waarborg (Dutch home shopping guarantee organisation)

Docdata is a member of Thuiswinkel Waarborg (Dutch home shopping guarantee organisation) and meets several important criteria in terms of financial stability, security, compliance with laws and regulations, and the rules of conduct of Thuiswinkel.org. All members of Thuiswinkel Waarborg (Dutch home shopping guarantee organisation) are recertified every year. When an organisation provides personal information or it carries out a payment on the website, this should be done over a secure connection. Members of Thuiswinkel Waarborg (Dutch home shopping guarantee organisation) have secured their systems with current updates against intrusion, viruses, and other attacks. Members are always screened for security of personal data and they get balloted.

Acceptant Payment Service Provider (APSP)

An APSP (Certified Merchant Payment Service Provider) is an intermediary who mediates between merchants and acquirers with processing debit card payments. Merchants are businessmen and organisations who accept debit card payments (receive). Acquirers are parties that approve and process debit card transactions, such as some banks and transaction processors.

Why certification?

CM Payments provides end-to-end
processing of debit card payments for merchants, for our own risk and account,
through one or more acquirers. A merchant pays a fee for this to the APSP and
processes the revenue realised via debit card payments.

Certified merchant payment service provider

To be able to fulfil
the role of APSP in payment transactions, an APSP must be certified by the
Dutch Payments Association. This means checking whether the APSP process the
funds in a proper and secure manner.

CM Payments is a Certified Merchant Payment Service
Provider (APSP) and has full authorisation to process debit and
credit card payments.

Licensed Collecting Payment Service Provider (CPSP)

The certification means that the Payment Service Provider was approved by the Betaalvereniging (Dutch Payments Association) and also has an agreement with the Acquiring Bank for accepting iDEAL which is licensed by the Betaalvereniging (Dutch Payments Association).

Payment Service Directive (PSD)

​Collecting payment service providers have to deal with the “Payment Service Directive”, in short PSD. This is a directive of the European Parliament and of the Council of the European Union which provides for the harmonization of the internal market for payment services. The PSD aims to promote pan-European competition in payment services and provides a system of licensing for payment service providers. The PSD license imposes specific requirements for risk management and associated procedures for us as collecting payment service provider. In addition, we are monitored by De Nederlandsche Bank (the Dutch Central Bank).

PCI DSS Compliancy (Payment Card Industry Standard)

This abbreviation stands for Payment Card Industry Data Security Standard, which was imposed by VISA and Mastercard. These guidelines ensure that credit card data will be processed and stored in a secure manner. Each year several agencies audit our methods and systems. When certified, they provide us with a certificate indicating that we comply with the highest security standards for online payment processing systems. One of these certificates for online payment processing systems is a PCI DSS certificate.