Payment Security

PAYMENT SECURITY & DATA PROTECTION STATEMENT

Cortivas Global LLC

https://shopcortivas.com

Effective Date: May 20, 2026

STATEMENT: Cortivas Global LLC is committed to protecting the security and confidentiality of all customer payment information and personal data. This statement outlines our payment security practices, compliance standards, data protection measures, and commitment to safeguarding financial transactions. We comply with all applicable payment industry standards, regulatory requirements, and best practices to ensure that your payment data is handled with the highest level of security and care.

1. PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) COMPLIANCE

1.1 PCI DSS Overview

Cortivas Global LLC operates in compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards established by the PCI Security Standards Council to protect cardholder data and reduce credit card fraud. PCI DSS Version 3.2.1 (and upgrades to subsequent versions) requires that all organizations that store, process, or transmit payment card information implement specific technical, operational, and management controls.

1.2 PCI DSS Compliance Status

Cortivas Global LLC does not directly store, process, or transmit full payment card data (e.g., credit card numbers, CVV codes, PINs). Instead, we utilize PCI DSS Level 1 certified third-party payment processors to handle all payment card transactions. This architecture significantly reduces our PCI compliance scope and eliminates the risk of direct cardholder data exposure. Our payment processor (Stripe) is PCI DSS compliant and maintains Level 1 certification, the highest level of compliance in the payment card industry.

1.3 What We Do NOT Store

  • Full credit card numbers (PAN — Primary Account Number)
  • Card Verification Values (CVV, CVC, or security codes)
  • Personal Identification Numbers (PINs)
  • Magnetic stripe data
  • Card authentication codes or encrypted track data

1.4 Minimal Data Approach

We collect and retain only the minimum payment information necessary to complete transactions and fulfill customer requests. This includes: billing name, billing address, card expiration date (last 4 digits only, for customer reference), and transaction amounts. We never request, process, or store sensitive authentication data unless absolutely required, and we delete such data within the shortest legally permissible timeframe.

2. ENCRYPTION AND DATA TRANSMISSION SECURITY

2.1 SSL/TLS Encryption

All data transmitted between your device (computer, smartphone, tablet) and our servers is encrypted using Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. SSL/TLS encryption uses 256-bit (or higher) encryption algorithms to scramble data in transit, making it unreadable to unauthorized parties who may attempt to intercept it. Our Website displays a padlock icon and uses the 'https://' protocol (not 'http://') to indicate an active encrypted connection.

2.2 Certificate Authority and Verification

Our SSL/TLS certificates are issued by a trusted Certificate Authority (CA) and are regularly renewed and audited. Certificates verify the authenticity of our servers and prevent man-in-the-middle attacks. All certificates meet current industry standards and are configured with modern cipher suites and security protocols (TLS 1.2 or higher).

2.3 Data at Rest Encryption

Personal information stored on our servers is protected through encryption at rest, meaning data is encrypted while stored in our databases and backup systems. Encryption keys are stored separately from data and are protected through access controls and secure key management practices.

2.4 Encrypted Backups

All backup copies of customer data are encrypted and stored in secure, geographically redundant locations. Backup encryption uses the same standards as production data encryption, ensuring that even if backups are accessed, data remains protected.

3. PAYMENT PROCESSOR INTEGRATION AND SECURITY

3.1 Stripe Payment Processing

Cortivas Global LLC uses Stripe (https://stripe.com) as its primary payment processor for credit card, debit card, and digital wallet transactions. Stripe is a Level 1 PCI DSS compliant payment service provider and is certified by SOC 2 Type II, ensuring the highest standards of security, availability, and confidentiality.

Stripe's services include: payment authorization and processing, tokenization (conversion of payment data into secure tokens), fraud detection, chargebacks management, dispute resolution, and compliance monitoring. Stripe maintains PCI DSS compliance on behalf of Cortivas Global LLC, reducing our direct compliance burden and significantly lowering the risk of data breaches.

3.2 Tokenization

Payment card data is tokenized immediately upon capture. Tokenization replaces sensitive payment card information with a unique, non-sensitive identifier (token) that has no value outside of Stripe's ecosystem. This token allows us to reference the payment method for future transactions without ever having direct access to the original card data.

3.3 Stored Payment Methods

If you choose to save a payment method for future purchases, only the token is stored on our servers, not the actual card details. Tokens are useless without access to Stripe's systems, providing an additional layer of security. You can delete saved payment methods from your account at any time.

3.4 3-D Secure and Additional Authentication

Stripe supports 3D Secure (3DS) technology, which adds an additional layer of cardholder verification for online transactions. When 3DS is enabled, customers may be prompted to authenticate their identity through their bank or card issuer before the transaction is completed, reducing fraud and chargebacks.

3.5 Alternative Payment Methods

In addition to Stripe, Cortivas Global LLC accepts digital wallets (Apple Pay, Google Pay, Samsung Pay), ACH bank transfers, and wire transfers. Each payment method is processed through secure, compliant channels with the same encryption and fraud prevention standards as credit card processing.

4. FRAUD DETECTION AND PREVENTION

4.1 Real-Time Fraud Monitoring

All transactions are subjected to real-time fraud monitoring and analysis. Our fraud detection systems analyze multiple data points to identify suspicious activity, including:

  • IP address geolocation and reputation (checking against known fraud databases)
  • Device fingerprinting (analyzing device characteristics to detect multiple accounts from the same device)
  • Velocity checking (monitoring the frequency of transactions from the same payment method, IP, or device)
  • Transaction amount anomalies (flagging unusually large orders or orders inconsistent with account history)
  • Geographic inconsistencies (detecting orders from different geographic locations within impossible timeframes)
  • Card matching analysis (comparing card details against databases of stolen or compromised cards)
  • Email and address verification against fraud lists
  • Billing-to-shipping address mismatches

4.2 Machine Learning and Behavioral Analysis

Stripe and our internal fraud systems use machine learning algorithms that continuously learn from transaction patterns and fraud indicators. These systems adapt to new fraud techniques and evolve to detect emerging threats. Behavioral analysis tools monitor for patterns consistent with card testing, account takeover, or refund fraud.

4.3 Manual Review and Escalation

High-risk transactions flagged by automated systems are escalated to manual review by fraud specialists who perform additional investigation and may contact the customer to verify legitimacy. Manual review may include requests for additional documentation, ID verification, or address confirmation.

4.4 Chargeback Management

In the event of a chargeback (customer disputing a transaction with their bank), we work cooperatively with the bank and our payment processor to investigate the claim, gather evidence, and dispute fraudulent chargebacks. We maintain detailed transaction records, order documentation, and shipping confirmations to support legitimate transactions and defend against false chargeback claims.

4.5 Account Security Monitoring

Customer accounts are continuously monitored for unauthorized access attempts, suspicious login patterns, and account takeover indicators. If unauthorized access is detected, the account is immediately locked and the customer is notified. Two-factor authentication and password complexity requirements further protect accounts from compromise.

5. PAYMENT SECURITY INFRASTRUCTURE

5.1 Secure Network Architecture

Our payment processing infrastructure is isolated on a secured network with multiple layers of protection:

  • Firewalls: Multiple-layer firewalls with stateful inspection and application-layer filtering prevent unauthorized access to payment systems.
  • Network Segmentation: Payment data systems are isolated from other systems to limit lateral movement in case of compromise.
  • Intrusion Detection and Prevention: Automated systems monitor network traffic for malicious activity and block suspicious connections in real time.
  • DDoS Protection: We utilize DDoS mitigation services to protect against distributed denial-of-service attacks that could disrupt payment processing.
  • VPN and Secure Tunnels: All administrator access to payment systems occurs through encrypted VPN connections or secure tunnels.

5.2 Access Control and Authentication

Only authorized personnel with a specific business need have access to payment data or payment systems. Access controls include:

  • Role-Based Access Control (RBAC): Employees are assigned roles with the minimum permissions necessary to perform their job functions.
  • Multi-Factor Authentication (MFA): All administrators must authenticate using a password and a second factor (hardware token, authenticator app, biometric).
  • Session Management: All administrative sessions are logged, time-limited, and automatically terminated after inactivity.
  • Privilege Elevation Logging: Any elevation of privileges is logged and audited for accountability.
  • Regular Access Reviews: Access rights are reviewed quarterly to ensure they remain appropriate and necessary.

5.3 Cloud Infrastructure Security

Payment-related data and systems are hosted on secure cloud infrastructure (Amazon Web Services, Shopify, or similar Level 1 compliant providers) that maintains SOC 2 Type II compliance. Cloud providers employ data center security, environmental controls, redundancy, disaster recovery, and continuous monitoring to ensure availability and security of hosted systems.

6. VULNERABILITY MANAGEMENT AND SECURITY TESTING

6.1 Vulnerability Scanning

We conduct regular automated vulnerability scans of our payment systems, web applications, and network infrastructure to identify potential security weaknesses. Scans occur at least quarterly and are performed by certified third-party security firms.

6.2 Penetration Testing

Annual penetration testing (ethical hacking) is conducted by independent security experts to identify exploitable vulnerabilities that automated scanners might miss. Penetration tests simulate real-world attacks and provide recommendations for remediation.

6.3 Security Code Reviews

All code changes to payment-related systems undergo security code review by experienced developers before deployment. Code reviews identify common vulnerabilities such as SQL injection, cross-site scripting (XSS), and insecure cryptography.

6.4 Patch Management

Security patches and updates for operating systems, applications, libraries, and frameworks are applied promptly, typically within 30 days of release (or immediately for critical vulnerabilities). A patch management process ensures thorough testing before deployment to production systems.

6.5 Web Application Firewall (WAF)

Our website and payment pages are protected by a Web Application Firewall (WAF) that filters malicious traffic, blocks common web attacks (SQL injection, XSS, DDoS), and enforces security policies. WAF rules are regularly updated to address emerging threats.

7. ACH AND WIRE TRANSFER SECURITY

7.1 ACH (Automated Clearing House) Transfers

For customers who prefer ACH bank transfers, we accept payments through secure ACH processors that comply with National Automated Clearing House Association (NACHA) rules and regulations. ACH transfers are processed through your bank and Stripe's ACH integration, which applies the same fraud detection and security standards as credit card processing.

Bank account information provided for ACH payments is encrypted and transmitted securely. ACH transfers typically settle within 3-5 business days. ACH payments are governed by your bank's security practices and the Federal Reserve's ACH regulations.

7.2 Wire Transfer Security

Wire transfers are also accepted as a payment method. Customers requesting wire transfers must provide valid wire instructions and identification verification. Wire instructions are provided through encrypted secure messaging and must be confirmed by the customer before processing.

Wire transfers are processed through SWIFT networks (Society for Worldwide Interbank Financial Telecommunication), which employ their own security protocols and encryption. Wire transfer information is stored separately from other payment data and is subject to additional access controls.

7.3 Bank Verification

For ACH and wire transfers, we verify bank account information where possible through automated verification services (Plaid or similar) to ensure the account is valid and owned by the customer providing it. Micro-deposit verification may be used as an additional confirmation method.

8. COMPLIANCE WITH PAYMENT REGULATIONS

8.1 Anti-Money Laundering (AML) and Know Your Customer (KYC)

Cortivas Global LLC complies with Anti-Money Laundering (AML) regulations and maintains Know Your Customer (KYC) procedures to prevent money laundering, terrorist financing, and other illicit activities. All customer transactions are monitored for suspicious patterns indicative of money laundering. Customers are required to provide accurate identification and billing information during checkout.

Large transactions or unusual activity may trigger additional verification requirements, including requests for government-issued ID, proof of address, or business documentation. We screen customer information against government watchlists and sanctions lists (OFAC, SDNY, etc.).

8.2 Payment Card Industry Regulations

We comply with all PCI DSS requirements, including Version 3.2.1 and future upgrades. Our payment processor (Stripe) maintains current PCI DSS compliance certification and passes annual audits. We undergo quarterly compliance assessments and maintain documentation of our PCI compliance status.

8.3 Electronic Funds Transfer (EFT) Regulations

ACH and wire transfers are regulated under the Electronic Funds Transfer Act (EFTA) and NACHA rules. We comply with all regulations regarding timing, settlement, error resolution, and customer dispute rights. Customers have the right to dispute unauthorized transfers within specific timeframes (typically 60 days for ACH, varying for wire transfers depending on bank policies).

8.4 Fair Credit Billing Act (FCBA) Compliance

For credit card transactions, we comply with the Fair Credit Billing Act (FCBA), which provides protections to cardholders disputing unauthorized or erroneous charges. Customers have the right to dispute charges within 60 days of billing and are protected by their bank's chargeback and fraud liability policies.

9. DATA BREACH RESPONSE AND NOTIFICATION

9.1 Breach Detection and Response

We maintain comprehensive security monitoring systems to detect potential data breaches in real time. If an unauthorized access, data theft, or breach is detected, we immediately initiate our incident response plan:

  • Isolation: Affected systems are immediately isolated from the network to prevent further compromise.
  • Investigation: A thorough investigation is conducted to determine the scope, cause, and extent of the breach.
  • Mitigation: Steps are taken to stop ongoing compromise and secure systems.
  • Notification: Affected customers are notified as required by law (typically within 72 hours).
  • Recovery: Systems are restored from secure backups and remediation is implemented.

9.2 Customer Notification

In the event that a breach results in exposure of personal information, we will notify affected customers via email at the address on file within 72 hours (or as required by applicable law). Notification will include:

  • A description of the breach and information compromised
  • Steps taken to secure systems
  • Recommended actions customers should take to protect themselves
  • Contact information for questions
  • Information about credit monitoring or other protective services we may offer

9.3 Third-Party Breach Notification

If our payment processor (Stripe) or another third-party service provider experiences a breach that may impact our customers, we will communicate notification from them to affected customers within 72 hours and provide guidance on protective measures.

10. EMPLOYEE SECURITY TRAINING AND ACCOUNTABILITY

10.1 Security Training

All employees with access to payment systems, customer data, or sensitive information receive mandatory security training during onboarding and annually thereafter. Training covers:

  • Payment security best practices and PCI DSS requirements
  • Data protection and privacy regulations
  • Phishing and social engineering detection
  • Password management and secure access protocols
  • Incident reporting and breach response procedures
  • Confidentiality obligations and consequences of violations

10.2 Background Checks

All employees with access to customer payment data or sensitive systems undergo comprehensive background checks, including criminal history, credit history (where legally permissible), and employment verification. Background checks are conducted prior to employment and periodically thereafter.

10.3 Non-Disclosure Agreements

All employees sign enforceable non-disclosure agreements (NDAs) that prohibit the disclosure of customer payment data, payment processing procedures, security measures, and other confidential information. NDAs extend beyond employment termination.

10.4 Audit Logs and Accountability

All access to payment systems and customer data is logged with timestamps and user identification. Logs are reviewed regularly to detect unauthorized access or suspicious activity. Any unauthorized access attempts are immediately investigated and reported to management. Violations of security policies result in disciplinary action, up to and including termination.

11. THIRD-PARTY VENDOR SECURITY REQUIREMENTS

11.1 Vendor Assessment

All third-party vendors that handle payment data or have access to customer information must meet strict security requirements before engagement. Vendor assessment includes:

  • PCI DSS compliance certification (for payment processors)
  • SOC 2 Type II audit reports
  • ISO 27001 certification (information security management)
  • References and background checks
  • Data processing agreements (DPA) and security commitments

11.2 Vendor Agreements

Vendor agreements include specific security requirements and data protection clauses, including: limitations on data use (data may only be used for specified purposes), encryption requirements, audit rights, breach notification obligations, incident response procedures, and liability for security failures.

11.3 Ongoing Vendor Monitoring

Vendor security and performance is monitored on an ongoing basis. Vendors are required to provide annual security certifications (SOC 2, ISO 27001) and participate in security questionnaires. Underperforming or non-compliant vendors are escalated for remediation or replacement.

12. CUSTOMER RESPONSIBILITIES

While we maintain comprehensive security measures, customer responsibility is also important:

  • Keep your login credentials (email and password) confidential and do not share with anyone.
  • Use a strong, unique password that combines uppercase, lowercase, numbers, and symbols.
  • Never enter payment card information on unsecured (non-HTTPS) websites.
  • Monitor your payment card statements and bank accounts for unauthorized charges.
  • Report suspicious account activity or unauthorized charges immediately.
  • Use secure, password-protected WiFi when making online purchases (avoid public WiFi).
  • Keep your device operating system and antivirus software up to date.
  • Enable two-factor authentication (2FA) on your account if available.

13. CONTACT AND REPORTING

If you have questions about our payment security practices, suspect a breach, or wish to report a security vulnerability, please contact:

  • Email: cortivas.global@gmail.com
  • Mailing Address: 30 N Gould St, Sheridan, WY 82801, United States
  • Website: https://shopcortivas.com

Security Vulnerability Reporting: If you discover a security vulnerability in our Website or systems, please report it responsibly to cortivas.global@gmail.com (not on social media or public forums). Include a detailed description, steps to reproduce, and potential impact. We will acknowledge receipt within 24 hours and work to resolve critical vulnerabilities within 30 days.

We appreciate responsible disclosure and may provide a reward or public acknowledgment for responsibly reported security issues.

This Payment Security & Data Protection Statement is effective as of May 20, 2026. Cortivas Global LLC reserves the right to update this statement at any time. Continued use of our Website constitutes acceptance of any updates. This statement does not constitute a warranty or guarantee of security, and we disclaim liability for breaches beyond our reasonable control or for customer negligence.