Global Enterprise Security

We provide security and compliance services designed to help protect P2PSYSTEM information and physical resources. This effort also focuses on ensuring that P2PSYSTEM has controls in place to manage the risk of interruptions that may impact our service level commitments to you.

Security Methodology Diagram
Security Organization Information Security Controls Compliance and Validation Security Operations

Our security organization, P2PSYSTEM Global Security Services, is responsible for setting objectives for information security management to preserve our commitment to our customers. This includes setting policies in the following areas:

Security Policy

The policy establishes P2PSYSTEM's direction and support for information security and sets a risk management framework that is in accordance with business requirements and relevant laws and regulations.

To download our Commitment To Security Policy.

Asset management

This area focuses on achieving and maintaining appropriate protection of P2PSYSTEM's critical infrastructure required for its service delivery.

Human Resources Security

Controls to ensure that all P2PSYSTEM employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered.

Physical and Environmental Security

To prevent unauthorized physical access, damage, and interference to our organization's premises and information.

Access Control

Framework to ensure only approved users are granted access to appropriate systems and resources.

Information Security Incident Management

Policies and processes aimed at making sure information security events and weaknesses are communicated in a manner allowing timely corrective action.

Security Vulnerability Reporting

Our team gives immediate attention to any report of security issues.

To execute the plans defined in the control objectives above, P2PSYSTEM uses the best practices described in the ISO 27002 security standard. This standard is recognized globally as the most comprehensive framework for establishing and maintaining information security best practices within an organization. As these controls are essential to our security posture, we refrain from describing them in detail on publicly available documents. For further insight into these controls, customers and prospects can view this information on our Service Organization Control 1 (SOC 1) report, which is available under the appropriate confidentiality agreements.

The compliance and validation phase is an important collection of audit and review activities that provide assurances that our implemented controls are designed and operating effectively and aligned with the policies set by the security organization. Learn more about the compliance certifications that P2PSYSTEM currently maintains.

Security Certifications and Standards

P2PSYSTEM adheres to the following information security and related certifications and standards.

ISO 2700

ISO 27001








ISO 27002

ISO/IEC 27002 (formerly known as ISO/IEC 17799:2005, based on BS 17799) is the standard for information security controls published by the International Organization for Standardization (ISO). The standard includes advice on aims and implementation of the controls, but does not mandate specific controls because each organization will have unique requirements based on a specific risk assessment. The P2PSYSTEM information security program is based on ISO/IEC 27002 policies and procedures.

ISO 27001

The ISO/IEC 27001 standard provides a framework for managing a business security responsibilities and provides external assurance for customers as to the scope and scale of our secure environment via our Business Security Management System.

Since 2011, our system has provided the foundation for an integrated and sustainable security model working in tandem with our other security controls such as PCI-DSS. It is subject to ongoing external assessments with a full reassessment every three years.


The Payment Card Industry Data Security Standard is a global information security standard defined by the Payment Card Industry Security Standards Council (PCI-SSC). The purpose of the standard is to reduce credit card fraud. This is achieved through increased controls around data and its exposure to compromise. The standard applies to all organizations which process, store or transmit cardholder information.

You have to secure your network, implement secure data management policies, maintain a vulnerability management program and implement strong access-control measures. And then you have to monitor, manage and test these policies.

We're here to help you navigate this challenging process. Relying on our breadth of experience, we can provide you with infrastructure and solutions that can help reduce the complexity of compliance.

Compliance can be a complex and costly undertaking that involves everything from infrastructure to processes.

P2PSYSTEM is accredited with MasterCard Europe* and Visa USA accredited P2PSYSTEM Hosting as compliant to the following levels:

Level 1 Payment Card Industry (PCI) PCI Service Provider

P2PSYSTEM's PCI certification scope of coverage is for the following locations:

  • All US & UK offices
  • US data centers (DFW1, DFW2, DFW3, IAD1, IAD2, IAD3, and ORD1)
  • All UK data centers
  • Hong Kong data center
  • Sydney data center

Please note that although P2PSYSTEM is a PCI compliant service provider, this does not automatically make our customers PCI compliant. Customers should consult with a Qualified Security Assessor and their Merchant Bank to clarify any PCI obligations and steps to achieve customer compliance.

We offer a full range of PCI security solutions, to help you keep your customers safe. Learn more.

P2PSYSTEM is definitely a trusted partner considering we have to be PCI compliant.

Sunny DhillonTechnical Operations Manager,

It is probably true to say that without the considerable amount of help from P2PSYSTEM we could not have passed the exceptionally stringent PCI audit. P2PSYSTEM certainly went above and beyond their remit to ensure that everything was perfect for us.

Aingaran Somaskandarajah Technical Lead, Oyster Card


SSAE16 is an AICPA (American Institute of Certified Public Accountants) auditing standard intended to provide customers and prospects with third party validated visibility of a service provider's controls.

P2PSYSTEM went through a SSAE16 Type II SOC1, SOC2 (Security and Availability Only), and SOC3 audits covering all data center facilities globally. The report is available to current and potential customers subject to signature of appropriate Non-Disclosure Agreements.


  • Reports are to be conducted in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, the AICPA attest standard, which is an audit conducted over internal controls over financial reporting, management of the user organizations, and management of the service organization.
  • Service Organizations' continue to define their control objectives and controls, but the service auditor is responsible for evaluating those control objectives to ensure they are reasonable.
  • A Type 2 report also includes the service auditor's opinion on whether the controls were operating effectively and describes tests of the controls performed by the service auditor to form that opinion and the results of those tests.


  • Reports on controls at a service organization relevant to Security, Availability, Privacy, Confidentiality and Processing.
  • SOC 2 engagements use the predefined criteria in Trust Services Principles, Criteria and Illustrations, as well as the requirements and guidance in AT Section 101, Attest Engagements, of SSAEs.
  • These reports are intended to meet the needs of a hosting provider customer that needs to understand the internal controls at a service organization.
  • SOC 2 framework is a reporting option specifically designed for entities such as data centers, IT managed services, software as a service (SaaS) vendors, and many other technology and cloud computing based businesses.
  • A Type 2 report also includes the service auditor's opinion on whether the controls were operating effectively and describes tests of the controls performed by the service auditor to form that opinion and the results of those tests.


Due to the restrictions of distribution to current and potential customers for the SOC 1 and SOC 2 reports, P2PSYSTEM has obtained a SOC 3 report. The difference between a SOC 2 report and a SOC 3 report is that a SOC 2 report contains a detailed description of the service auditor's tests of controls and results of those tests as well as the auditor's opinion on the description of the service organization's system. A SOC 3 report provides only the auditor's report on whether the system achieved the trust services criteria. There is no description of tests and results or opinion on the description of the system.

Safe Harbor

Safe Harbor is the US Department of Commerce framework for meeting the European Union's Data Protection requirements. P2PSYSTEM complies with the In Safe Harbor Framework as set forth by the In Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. P2PSYSTEM has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement, with respect to the personal data we collect from EU and/or Swiss data subjects or receive from our affiliates located in the EU and/or Switzerland, such as information regarding service requests, service orders, handling orders, delivering services and processing payments.

For more information about P2PSYSTEM's Safe Harbor status see the P2PSYSTEM Privacy Center.

Content Protection and Security Standard (CPS)

The Content Protection and Security Standard (CPS) is sponsored by the Content Delivery & Security Association (CDSA). CDSA is an international association that advocates the innovative and responsible delivery and storage of entertainment, software, and information content. CDSA has focused its activities on anti-piracy and content protection standards to protect the security and integrity of intellectual property and related assets.

The Content Protection and Security Standard assists organizations in managing its security and piracy risks. The CPS framework focuses primarily on the security management of media content in all of its forms across the entire supply chain. It is comprised of an independent and impartial audit of risk management, personnel resources, asset management, logical and physical security, and disaster recovery planning.

P2PSYSTEM is accredited until the last day of February 2015 with the Content Protection and Security certification covering:

  • P2PSYSTEM's headquarters in San Antonio, TX
  • Chicago Data Center

P2PSYSTEM has invested significant resources to ensure it can detect and respond to security events and incidents that impact its infrastructure. It is key to point out that this function does not involve actively monitoring individual customer solutions, but the overarching networking and physical environment including the monitoring of internal networks and employee access customer environments.

Security operations at P2PSYSTEM ensure that:

  • Incidents are responded to in a timely manner and communication is disseminated to the relevant parties
  • Corrective actions are identified and executed
  • Root cause analyses are performed
  • Lessons learned are fed back to the policy and planning functions

This function of our security management system drives continuous improvement of the practices and models we implement to protect P2PSYSTEM infrastructure.

An effective mitigation of risks of a cloud solution requires a combination of a secure application architecture and security management disciplines within the service provider. Security Management at P2PSYSTEM involves the coordination of the security organization, security controls, and compliance and security operations.

Card providers, banks and financial bodies now demand a stringent level of security on all remote transactions and the totally secure storage of transaction data. It was with this in mind that we chose P2PSYSTEM Hosting as our hosting partner for the project. We had already gained experience of P2PSYSTEM capabilities from within Deloitte and involvement with other high level projects. Their PCI compliance and Fanatical Support promise sealed the partnership.

Aingaran Somaskandarajah Technical Lead, Oyster Card

Please complete this form to have a specialist contact you.

* Mandatory fields

Copyright © 2010-24 P2P System (P) ltd             Privacy Policy| Terms of Service Agreement | Refund Policy