Security & Compliance
Security and compliance at the core.
Coshine operates with a security-first approach and aligns its processing environment with recognized payment security and information security standards.
Six control domains over a baseline of internationally recognized payment security standards.
Programs and certifications
PCI DSS
Payment Card Industry Data Security Standard — Level 1 service provider scope.
PCI 3DS
3-D Secure Core Security Standard for ACS and 3DS Server operation.
PCI PIN
PIN Security Standard for processing environments handling PIN data.
ISO/IEC 27001
Certified Information Security Management System covering payment processing operations.
MLPS Level 3
China Multi-Level Protection Scheme Level 3 — for environments operating in mainland China.
Independent audit
Annual third-party assessments and scheme-aligned compliance reviews.
Security controls
- Network segmentation between cardholder data environment and corporate network
- Encryption in transit (TLS 1.2+) and at rest (AES-256) for cardholder data
- Hardware Security Module (HSM) backed key management with documented rotation
- Role-based access control with multi-factor authentication for privileged paths
- Centralized audit logging, log retention and tamper-evident archiving
- 24×7 monitoring and incident response with defined SLA
- Vulnerability management and regular penetration testing
- Vendor security review and sub-processor management
Annual audit & assessment calendar
| Program | Cadence | Assessor type | Window |
|---|---|---|---|
| PCI DSS Level 1 | Annual | External QSA (Qualified Security Assessor) | Q1 |
| PCI DSS network scans | Quarterly | External ASV (Approved Scanning Vendor) | Q1 / Q2 / Q3 / Q4 |
| PCI 3DS | Annual | External QSA-3DS | Q2 |
| PCI PIN | Annual | External QPA (Qualified PIN Assessor) | Q2 (scope-dependent) |
| ISO/IEC 27001 surveillance | Annual | Accredited certification body | Q3 |
| ISO/IEC 27001 recertification | 3-year cycle | Accredited certification body | Year 3 (full re-audit) |
| MLPS Level 3 (China deployments) | Annual | MPS-authorized assessor | Per regulator schedule |
| Penetration test | Annual + on material change | Independent CREST/OSCP-credentialed firm | Continuous program |
Incident response — what actually happens
1. Detection
24×7 monitoring with alerting on availability, latency anomalies, authentication failures and security signals. Detection time targets are below the customer-visible threshold for each signal class.
2. Triage
On-call engineer acknowledges within 15 minutes for P1. Initial severity classification, blast-radius assessment and customer-impact estimate complete within the first 30 minutes.
3. Containment
Stabilize the platform first, investigate second. Runbooks cover scheme-side failover, dependency degradation, regional capacity shift and isolation of compromised paths.
4. Resolution
Restore service to nominal. P1 customer-facing communication on a fixed cadence (initial within 1 hour of declaration, updates every 2 hours, resolution notice within 30 minutes of all-clear).
5. Post-incident review
Blameless post-mortem within 5 business days. Material incidents share an executive summary with affected customers; corrective actions tracked to closure with owners and dates.
Frequently asked
Will you sign an MNDA before sharing your AoC?
Yes. Once an MNDA is in place we can share the current Attestation of Compliance for PCI DSS, the ISO 27001 certificate, and the relevant scope statements. SOC reports are not part of our current program — we issue ISO/IEC 27001 instead.
Is Coshine a Service Provider under PCI DSS?
Yes. Coshine operates as a Level 1 service provider in the relevant deployments. The scope and Service Provider obligations vary by engagement and are spelled out in the service agreement.
Where is cardholder data stored?
Inside the cardholder data environment, encrypted at rest with HSM-backed keys, replicated within an approved availability boundary. Cardholder data does not leave the contracted region without explicit written instruction.
Can you support data residency in our country?
Possibly. Data residency depends on whether Coshine operates an in-region environment for your scope, or whether your bank can host the CDE while Coshine operates the application layer. Both topologies are supported; the right choice is project-specific.
How do you handle vulnerability disclosure?
Reports go to security@coshine.com (PGP key on the Trust > Vulnerability disclosure page). Initial acknowledgement within one business day; we follow coordinated disclosure norms and credit reporters who consent.
Do you do background checks on staff with CDE access?
Yes. Personnel with privileged access to the cardholder data environment undergo background screening at hire and on a defined cadence thereafter, scoped to local labor law.
How do you manage third-party / sub-processor risk?
We maintain a sub-processor inventory with purpose, location and security posture; each undergoes security review before onboarding and on a periodic basis. Material changes are notified to affected customers under contract.
A note on scope
Specific certifications and accreditations apply to the entities, environments and services described in the underlying assessment reports. Coshine does not claim certifications it has not undergone, and does not represent that any product meets every requirement of every regulator globally. For project-specific compliance scope, refer to your service agreement.
