The DCash platform is being developed through security-by-design principles. Applications are subject to rigorous quality assurance, and independent security testing, prior to live deployment. Hyperledger Fabric is being utilized to create an enterprise-grade, private-permissioned, distributed ledger (blockchain). Modular and configurable architecture is used to facilitate DCash transfer, payment processing, and settlement across authenticated and authorized API’s. Additionally, all DCash users must be authenticated and authorized.
In light of cybercrime, what level of security is being considered for the design?
The application framework was designed with built-in mitigations against common web application vulnerabilities, and goes through a quality assurance process that includes rigorous security testing. Multi-factor authentication is required for financial institutions, all APIs are authenticated and authorized, and all participants are vetted. In addition, secure hardware elements are being used on mobile devices.
How are users’ personal data to be protected?
Only the user’s financial institution has access to their personal data, which is transmitted exclusively via an encrypted channel. Where any personal data is stored on disk, it is encrypted and stored in a secure facility. Where applicable, all procedures will ensure compliance with GDPR, and other international standards, as well as relevant local and regional laws pertaining to data protection.
Are certain kinds of transactions prohibited?
Transactions will only be approved between two parties who are authorized and have valid credentials. Transactions attempting to exceed pre-approved limits will not be approved. Additionally, transactions may be limited to a certain amount, or a certain amount over a given time period, in accordance with defined tiers and limits.
What data is gathered via the DCash platform?
All transaction data is stored on the blockchain. Outside of that, KYC/AML data will be gathered by a third-party tool and stored separately. Third parties providing such a service will have strict Personally Identifiable Information (PII) guidelines to safeguard this data. We will also be gathering user metrics to measure app usability, which would be stored again with an approved third party.
What is the network security standard for commercial banks when connecting to the DCash network?
All interactions with DCash are performed through applications developed by Bitt. These applications are periodically reviewed to ensure that they follow relevant API security standards.
Who is responsible for maintaining the backend infrastructure?
As the technology services provider, Bitt, Inc. is under contract by the ECCB to implement governing rules and protocols, and also to operate the pilot.
Who has administrator access to the backend system?
Administrative access to the back-end systems will be restricted to a select set of pre-approved users. Access by administrative users is logged by the system and unusual activity is monitored accordingly.
How are third-party providers vetted?
All third-party providers are assessed, in terms of their compliance, with applicable international standards for information security (cybersecurity), data privacy, and quality assurance. Applicable standards include ISO 27001, SOC 2, GDPR and ISO 9001.
Where are the DCash backend systems located?
The back-end commerce system is located in data centres, in multiple locations, for redundancy. The minting system is offline at a secure location.
How are communications between the mobile app and backend secured?
All mobile app communications are end-to-end encrypted. Attention is given to key management procedures to protect against various identified threats.
Who audits the mobile app code to ensure that it is secure?
The Bitt Quality Assurance team is responsible for reviewing application development. The ECCB's Blockchain Technical Advisor team also completes regular mobile security audits during the development process. Additional independent third-party security audits may also be employed as needed.
How are DCash user accounts provisioned and protected?
All users on the DCash network are known, via KYC checks. Accounts are provisioned using best-practice password complexity checks during the registration process. Username and passwords are securely transmitted and stored according to industry best practice. Users’ access privileges are restricted.
How is transaction history secured?
Only the parties participating in a transaction, and their associated financial institutions, have access to that transaction’s history. Access to the transaction history on users’ phones requires the user to authenticate to the device. Financial institutions use multi-factor-authentication to access any transaction data stored on the backend.
Is transaction history sold to marketers?
No. The data privacy of pilot end users if of utmost importance to the ECCB, and no sharing of transaction history takes place.