- Do you have staff that are employed just for cyber security?
- Do you have a bounty hunting rewards scheme for grey hackers?
- Does master card facilitate/help security in any way?
- If a hacker got shell/etc access to your server, what damage could they do and how would you restrict the damage?
How are my card details stored on the server? It’s worrying that I don’t need to enter the CVV when topping up, as that indicated that it’s stored on the server somehow.
I can’t speak for the first four questions, but with your fifth…
Card Not Present transactions (those done remotely), such as the Top Up functionality, do not require the CVV.
The only details actually needed by any entity for these transactions are the card number and expiry date. It is up to the merchant to utilise Card Name, Address and CVV.
So Monzo do not need to store your CVV for the top up functionality to work. If through their other means of verification, they are sure the card belongs to you (like asking for CVV on the first top up), they can choose to not test it again.
The CVV cannot be stored within the PCI rules.
For specifics though - Mondo store your top up card details in Stripe. They hold the actual PAN and Mondo can then charge the card upon your request without providing any additional details.
That’s good. I was hoping that the details were partitioned like that.
Say hi to @daniel!
From discussions, the answer is “Not formally yet but if you find something, get in touch”. I believe the address to contact is security@monzo.com?
Specifics probably can’t be discussed but you can bet MasterCard have security and reliability requirements. As will every other payment system Monzo connect to.