LearningCart: A Security-by-Design Platform

Secure as a Bank.

Cybersecurity. The topic is broad and for many ambiguous. Cyberattacks have become sophisticated and creative making the protection of data more complex than ever before. We at LearningCart approach security and data privacy as a continuous process - regularly assessing what could happen, how it could happen, and how we can prevent the unspeakable from happening. Since our inception in 2011, we are proud that we haven't had a single reported case of fraud on our systems.

As a part of our regular security practices, LearningCart recently underwent an exhaustive Payment Card Industry (PCI) SAQ D compliance review with a 3rd party Qualified Security Assessor (QSA). The SAQ requires an organization to document how it adheres to industry best practices when it comes to protecting card holder data. That process covers everything from firewall rules to data backups, operational policies, required scanning, and penetration testing. Imagine hiring a team of expert thieves to attempt to break into your home. That image gives you a glimpse into the rigorous penetration testing performed on the LearningCart platform. The results? Exactly what we expected. We have been told by analysts that our platform's security is as sophisticated and reliable as what they would typically see in the banking industry.

What does that look like?

• Unlike open-source systems with a variety of “plugins” written by unknown developers, LearningCart is backed by the reputation of an organization with a long track record of success implementing complex web-based solutions for large corporations. Our proprietary system has been developed from the ground up using proven technologies and architecture to be secure.
• We are a certified Authorize.net developer which means that our code, eCommerce transactions, and internal processes have been reviewed by Authorize.net (one of the world’s leading credit card processors) to ensure we are adhering to industry best practices.
• We also are a TouchNet partner and have secure integrations with the following payment gateways: Authorize.Net, Stripe, PayPal, BrainTree, CyberSource, Worldpay, Paysimple,Mercado, FIS, TELR
• Our servers are located in a physically secure, video-monitored data center that is staffed 24/7.  Our hosting environment is compliant with a number of international standards including SOC 1, SOC 2, SOC 3, iso 27001, iso 27017, and iso 27018. All of our production systems are monitored around the clock by Alert Logic who deliver industry-leading managed detection and response (MDR) and web application firewall (WAF) solutions.
• Along with system security, data privacy is extremely important to us. LearningCart is designed to be GDPR-compliant and provides all the necessary tools our customers need to operate in a GDPR-compliant manner.
• The LearningCart platform allows users to require password updates at various time intervals to meet company procedure and best practices.
• Our advanced admin permission levels enable our customers to restrict access to sensitive information to an as-needed basis for each individual admin.
• We administer continual platform updates to ensure that all areas of the system are up-to-date and secure.

Monitoring & Testing

Ongoing data security requires a multifaceted approach that involves ensuring our customers data is protected from all angles.

• Physical Security: All of our servers are hosted in Amazon AWS which is staffed and monitored 24/7 and provides world class access controls.
• Application Security: We partner with Alert Logic for advanced threat detection and logging. Their network operations center performs real-time monitoring of our applications, hosting environment, as well as traffic, to quickly identify any potential threats or changes.
• Operational Security: Our operational data security standards are based on industry best practices, well documented, and every member of our team undergoes annual security and compliance training.
• Validation: Along with our standard monitoring, our systems are scanned quarterly by a PCI Approved independent scanning vendor to validate our current security state. Additionally, our systems undergo regular independent penetration testing performed by outside security experts.

From network security to application monitoring, backup storage, hiring practices, internal systems access, code integrity management – every part of our organization is fully encompassed by our commitment to security.