Security Practices and Procedures at Planning Center
Security here at Planning Center is not taken lightly. Below, we'll outline both the physical and technical procedures we use to ensure your data is kept safe.
Technical Security and Encryption
Whenever your data is in transit between you and us, everything is encrypted, and sent using HTTPS. We protect your login from brute force attacks with rate limiting, and all passwords are filtered from all our logs and are one-way encrypted using industry standard bcrypt.
Security Through Coding Practices
We hire the best developers we can find. Since so many security exploits take advantage of coding errors, part of security is having well-tested, well-reviewed code. At Planning Center, when code is written it requires at least 2 other developers to review the work before it makes it to our test servers. Once it's on our test servers, we make sure everything is working through a quality assurance process. When the code finally makes it to production it has had a lot of eyeballs on it. Developing this way means that it takes more time to get things done, but it also means that fewer mistakes get by.
Local Equipment Security
At the most basic level, our main physical space is locked and alarmed during off hours. In the event of a break-in, we may lose some expensive monitors, but since our servers don't reside in our buildings, they aren't vulnerable to smash-and-grab robberies. Customer data isn't on the laptops our employees use as they work. They connect over the the web using an encrypted connection (the same way your web browser does). Even still, local computers are password protected and encrypted.
Planning Center is a small company, so thankfully we are able to hire some brilliant people who care about its success. Our employee turnover is extremely low (especially for the tech industry). To protect company data, including customer data, all employees sign a non-disclosure agreement when hired. All of our employees are on-shore here in the US.
All customer data resides only in secure data centers employing stringent security practices, including 24/7 on-site security personnel, biometric screening, man traps, and key card locks. When visiting these facilities, one must be on an entry list and have their identity verified. Physically, these data centers are fortified to withstand major natural disasters.
The Payment Card Industry Data Security Standard is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.
Planning Center doesn't store this type of information.
Any time you enter payment information (such as a credit card, a debit card, an ACH account, etc.) in a Planning Center application, it's sent over an encrypted connection from your web browser directly to Stripe - one of the largest, most advanced payment processors in the world. They handle payment processing for services like Kickstarter, Lyft, Shopify, Pinterest, Twitter, Heroku, SureveyMonkey, and many other companies. Once Stripe receives valid payment information, they then issue us an encrypted "token." We use these tokens to create charges against those credit cards and bank accounts - even though we can't access the full details of those payment methods. We can only fetch the basic information such as the last 4 digits, they type of payment method, its expiration date, and the customer's name. The full account number or CVC number isn't released to us.
So, when an attendee pays for an event registration in Planning Center Registrations we never see that card number. When someone connects their bank account to their donor profile in Planning Center Giving, all we know is that a valid payment method, held at Stripe, exists for that donor. In fact, Planning Center Giving is an entire donation management system built on the back of Stripe tokens. It's worth repeating: not a single card or bank account number is stored in our database. The database columns just don't exist.
Stripe itself is a certified "PCI Service Provider Level 1" payment processor. This is the most stringent level of certification available. Because of Stripe, we're able to build complex products that deal with payments… without handling payment methods.
We encourage all customers to visit our security response page to securely report any concerns of abuse, exploits, and other types of incidents. These reports are immediately escalated to our advanced support team.
Lastly, a word about the culture here in general. Most of us who work at Planning Center are also users of our software. Our personal data is in the same database as our customers. We've checked-in our children using Planning Center Check-Ins at our own churches. We've donated to our churches using Planning Center Giving. To date, we've never had a breach or issue related to data theft. If that ever happened, we understand that the goodwill and reputation we've been building over the years would vanish. It would be a major blow to all of our personal careers. This is another reason we go to such lengths described above.