Keeping Your PAC Data Safe

Crimson’s focus on data security goes hand-in-hand with your PAC’s success.


Crimson Security

CMDI makes every effort to ensure that your data is secure in the Crimson platform. From the physical security at our offices and caging facility to the multi-layered approach to protecting our data centers, our top priority is keeping your information safe.


PCI-Compliant Security

Crimson for PACs keeps your financial and donor data secure. All credit cards processed through Crimson follow the standards established by the PCI Security Council.

In accordance with the PCI standards, credit card numbers are never written or stored in our software or on our hardware. Formal extensive penetration tests are conducted on our systems per PCI standards.

When credit card numbers are received in hard copy form, per compliance requirements, they are handled in secure and monitored physical environments. Physical credit card numbers are stored securely and blacked-out after they have been used.

Automatic Backups & Disaster Recovery

Crimson for PAC’s backup systems perform near real-time data replication between the production data center and the disaster recovery center. Replicas of your data are stored in both places, so in the event that one data center fails, your data won’t be lost. Also, all of your data is backed up to tape on a rotating schedule of incremental and full backups. Tapes are securely destroyed when retired.

Note that your data is transmitted across encrypted links and disaster recovery tests verify our projected recovery times and the integrity of the customer data.


Crimson Platform Security

Network Protection

  • Perimeter firewalls and edge routers block unused protocols.

  • Internal firewalls segregate traffic between the application and database tiers.

  • Intrusion detection sensors throughout the internal network report events to a security event management system for logging, alerts, and reports.

Secure Transmission and Sessions

Connection to the Crimson environment is via SSL 3.0/TLS 1.0, using global step-up certificates from Verisign, ensuring that our users have a secure connection from their browsers to Crimson. Individual user sessions are identified and re-verified with each transaction, using a unique token created at login.

Security Testing and Assessments

We tests all our code for security vulnerabilities before release. We regularly scan our network and systems for vulnerabilities and conduct regular assessments for:

  • Application vulnerability threat assessments

  • Network vulnerability threat assessments

  • Selected penetration testing and code review

  • Security control framework review and testing

Security Monitoring

Our Information Security department monitors notification from various sources and alerts from internal systems to identify and manage threats.

Secure Data Centers

The Crimson application and your data are maintained on secure, redundant SAN’s that are virtualized in a high availability SSAE 16 Type 2 compliant data center. These top-tier data centers provide carrier-level support, including:

Physical Security

  • 24-hour manned security, including foot patrols and perimeter inspections

  • Biometric scanning for access

  • Dedicated concrete-walled data center rooms

  • Computing equipment in access-controlled steel cages

  • Video surveillance throughout facility and perimeter

  • Tracking of asset removal

Physical Safety

  • Building engineered for local seismic, storm, and flood risks

  • Dual-alarmed, dual-interlock, multi-zone, pre-action dry pipe water-based fire suppression

  • Humidity and temperature control

  • Redundant (N+1) cooling systems, CPS/UPS systems, and diesel generators with on-site diesel fuel storage

  • Redundant power distribution units (PDUs)

  • VESDA (very early smoke detection apparatus)


Physical Security at the CMDI

CMDI takes every effort to secure the physical premises of our office and caging facilities. These security standards include:

  • 24-hour manned security, including foot patrols and perimeter inspections

  • Separate biometric access control to enter caging facility and offices

  • Video surveillance throughout both the offices and caging facility

  • Dedicated mail intake room, opening and sorting room, document scanning room, and data entry room with their own biometric access and video surveillance

  • Tracking of asset removal