Security FAQ

7. detsember 2022


Is payment data encrypted?

Erply does not store sensitive payment data (no full credit card numbers, no payment authorization tokens) and is out of the scope of PCI DSS (https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard). 

Payment information stored in Erply is mostly limited to dates, payment types (cash, card or cheque), card type (Visa, Mastercard etc.), sums and terminal transaction reference numbers. To see the full set of data stored in Erply, please see Back office, Sales > Payments. These payment details are stored in the database with the same security level as transaction and customer data, and are not encrypted.

Databases are not exposed to the public internet and are, therefore, not directly accessible by anyone else other than Erply’s Operations team. Data in the databases is only accessible via Erply APIs that require authorization and enforce security.

All communication between the POS and APIs is secured with TLS.

How are updates delivered?

Erply applications are updated regularly and automatically. 

In Brazil POS, there is an option to stay on a fixed version. Nevertheless, when using that option, we strongly recommend to revisit the settings periodically and manually switch over to newer versions.

Release notes for applications are published in Erply wiki: https://wiki.erply.com/category/205-release-notes

Can Erply point of sale be used on a separate network, not connected to the public internet?

No. Erply services are meant to be used over a public network. 

Erply relies on the latest versions of TLS encryption (1.2 and 1.3) to provide a secure connection between the client and the server.

Is it possible to whitelist the IP addresses of Erply's services?

The list of Erply's services is quite extensive. The IP addresses of these services do not belong to a specific range and can change at any time.

As a software-as-a-service provider, service availability and uptime is very important for us: our customers need us to be reliable. This means we take advantage of the modern hosting features offered by Amazon Web Services (failovers, content delivery networks, dynamic scaling) where appropriate, and this unfortunately does not result in a stable set of IP addresses that could be easily whitelisted.

Is two-step authentication available for both the Back office and POS?

Yes. Instructions are available here.