Security & Data Protection
CollegeNET is a pioneer in Software as a Service (SaaS) technology holding several patents related to web-based commerce. We adhere to the highest standards of security for protecting our customers’ data and privacy. These standards cover all three areas of Internet security and data privacy: (1) secure transmission of data over the Internet, including financial transactions, (2) protection of networks and systems from external attack, and (3) user privacy.
Every step of processing an online transaction, from the submission of data by the user to the final data download to your institution, has been designed with security in mind. All confidential, personal, or sensitive information transmitted to or from CollegeNET over the Internet is encrypted using strong, modern, PCI-compliant cryptography methods such as TLS or SSH.
Financial Transaction Security – PCI-DSS Compliance
CollegeNET is in compliance with the strict requirements of the Payment Card Industry Data Security Standards (PCI-DSS). We are SOC2 compliant,and undergo yearly audits and quarterly external network scans by Moss Adams. CollegeNET is classified as both a Level One Service Provider and a Level Three Merchant for auditing purposes.
Network and System Protection
CollegeNET's secure systems are configured to prevent intrusions and protect from abuse in day-to-day use by a combination of the features described below.
We strictly and continuously monitor access to our servers. Administrative access is restricted to users with a documented need for access, via our secured local network. All administrative access must be attained through encrypted connections.
Although administrative credentials are not allowed to cross the network unencrypted, the network is fully switched to prevent sniffing of network traffic. Our firewalls are in redundant configurations.
Every staff member is required to use a strong password for each machine they access. Staff accounts are randomly checked and run through many of the same password cracking utilities used by attackers.
All CollegeNET servers are audited regularly for vulnerabilities. We update our scanning utilities with the latest security exploits. Although our servers are firewalled, they are configured, by default, not to trust each other. This helps to contain and minimize the impact of any attack. All services not in use are shut off, and the remaining services are updated and secured before a machine is brought live on our network.
Multiple Intrusion Detection Systems (IDS) monitor our network in real time. The IDS locally and remotely monitor the logs, file systems, network traffic and services running on each machine. The IDS are monitored remotely and will automatically page the on-call Systems Administrator if a failure of the IDS occurs.
At least one System Administrator is on call 24 hours a day, 7 days a week. The system pager will contact the on-call Systems Administrator if any system or security issue arises.
CollegeNET servers use a combination of Linux and Windows operating systems. These operating systems were selected based on their reliability, scalability, efficiency and security. All software and operating systems are updated with the latest patches and updates before they go live, and are kept up-to-date while online.
The routers, firewalls and switches are top of the line equipment in redundant configurations. CollegeNET maintains diverse physical connections to multiple upstream ISPs. We own our own portable network block to facilitate load balancing and rapid disaster recovery.
Automated network backups are performed on a regularly scheduled basis with encrypted archives stored at an off-site facility for quick restoration in case of the need for disaster recovery. In addition to the backups, our servers use RAID technology to greatly increase the reliability of the information while on disk.
User Data Privacy
CollegeNET has a strict policy never to give, sell, rent or trade any personally identifiable information to third parties for marketing or other purposes. See our Privacy Statement.