Quantrax's FAQs for Data Security

Q: What is Quantrax Corporation? A: Quantrax Corporation is a technology company that started operations over 30 years ago to provide technology solutions for proactive debt collection. They are the premier company at offering intelligent software for the accounts receivable management and collection industry and continue to develop and deploy creative solutions to this industry through their technical innovation.  

 Q: What security measures does Quantrax have in place? A: Quantrax Corporation has implemented various technical controls, including VPN and other network intrusion prevention methods to prevent unauthorized access to data. For the individual clients, it is their responsibility to assess their security needs for accessing RMEx, and to work with Quantrax to make sure those needs are met. Quantrax offers passworded opportunities though the site-to-site VPN, as well as remote access using Two Form Factor authentication.  

 Q: How does Quantrax control access to their systems and data? A: Quantrax Corporation controls access to their systems and data through a combination of physical and logical access controls. Their production systems are housed at a third-party secure data center with military-style security and 2-N redundancy in all critical systems. Access to resources and data is granted to individuals based on their job responsibilities, and unique user IDs and passwords are assigned to each user. The security administrator is responsible for ensuring adherence to the security policy that addresses logical access control procedures.  

 Q: Are there controls in place to keep the data in question segregated from any other? A: The databases are only accessible through the software application and are protected from unauthorized access. Direct network access to the software or the servers on which it runs is only granted to personnel authorized by IT management. Administrative access to the servers, applications, and production databases is restricted to IT support personnel.  

External remote access to the internal network is only available to authorized users through Virtual Private Network (VPN) connections. This access is only available to management and needs to be requested through the CEO.  

Q: Does Quantrax have a formal Software Development Life Cycle (SDLC) policy? A: Quantrax have developed and implemented controls to manage new software implementations and changes to existing systems. These controls are used in the evaluation, design, development, testing and implementation of changes to infrastructure hardware, operating software, and application software. All changes are reviewed and approved by Senior IT Personnel before being implemented in production. While the text does not explicitly mention a formal SDLC policy, the presence of these controls suggests that they do follow a structured approach to software development and change management.  

Q: What is the algorithm used for encryption within RMEx? A: The algorithm used within RMEx is the Rijndael Algorithm in Counter mode of operation.   

We offer 256-bit encryption (which is very very strong). Key size can indicate how weak or strong the encryption is. As a general rule, the greater the key size, the better the data is protected (e.g., a 256-bit key generally provides better protection than a 256-bit key). However, this is not always true. For example, data encrypted with the RSA algorithm using a 256-bit key is not as safe as data encrypted using the AES algorithm using a 256-bit key.  

 Important features of this algorithm are as follows:  

• Supports key lengths of 64 bits,128 bits or 256 bits.  

• Symmetric Algorithm (Same key is used for encryption and decryption)  

• It is free and not patented  

• It is the algorithm that is considered the Advanced Encryption Standard (AES)  

• It is a block cipher which encrypts 64 bits blocks at a time.  

• Counter mode of operation allows the block cipher to work as a stream cipher. Thus, the input length does not have to be a multiple of block size.  

  
  

Q: Are there Firewalls in place? A: Quantrax employs firewalls at the perimeter of its network to protect against threats from the Internet. These firewalls provide user and application policy enforcement, multi-vector attack protection, and secure connectivity services through a wide range of security and networking services in a unified threat management platform including:  

• Application-aware firewall services,  

• Site-to-site and remote access Internet Protocol Security (IPsec) VPN connectivity,  

• Intelligent networking services, and · Flexible management solutions.  

Q: What VPN / Firewall ports are opened for the use of RMEx and products through the VPN?  Only your IT team can answer what ports they have chosen to open, and they will need to be contacted for this question. Quantrax has a list of suggested ports to be allowed, but it's your IT department that makes the decision of what ports are allowed, and what ports they will chose to  keep closed.

 Q: Vulnerability assessments? A: Quantrax has outsourced certain aspects of its operations to a managed service provider.  Quantrax’ s services are designed with the assumption that certain controls would be implemented by the managed service provider Connectria. The managed service provider undergoes independent third-party SOC 1 and SOC 2 audits and holds certifications for PCI DSS, ISO 27001, FISMA, TIA 942 Class 4 and HIPAA Transaction Compliance.  

 Q: Physical Security for hosted RMEx? A: Quantrax is partnered with Connectria, a Tier-4 facility includes military-style security and 2-N redundancy in all critical systems. The data center provides connectivity to many of the major U.S. internet and telecommunication carriers, including AT&T, Comcast, Phonoscope, Fiberlight, Time Warner Telecom, Verizon and Zayo.   

The following are examples of some of its physical security features:   

• Reinforced concrete bollards,    

• Steel-lined walls and bullet-resistant glass,    

• Video surveillance and recording of exterior and interior,    

• 24x7 on-site security guards,    

• Man traps,    

• Revolving entrance doors,    

• Biometric and key card security,   

• Cabinet and cage security options (including individual locks and biometric scanners), and   

• Perimeter fence  

Q: How does RMEx connect to third-party vendors using APIs (Application Programming Interfaces)? A: RMEx uses APIs to move data to and from third-party vendors. This could be for validating credit cards in real-time or for use with VoIP with a dialer. By default, RMEx does not access any outside third parties directly (unless you have a custom program). Instead, it uses a bridge program that runs on a different server, such as a Windows server. RMEx will talk to this bridge program, and the bridge program will then contact the third-party vendor for the encrypted data transfer.   

Notes about API’s and Authentication:   

• API keys are specifically designed for accessing APIs and authorize requests, while username and password authentication is a more generic form of authentication used across various systems and services.  

• API keys are typically included in API requests, while username and password authentication are used in an initial authentication step to obtain a token or session.  

• API keys are randomly generated and provide higher security against brute-force attacks, while username and password combinations may be user-generated and more capable to common values.  

• API keys can be easily managed and revoked without affecting user account credentials, while changing a username and password combination can have broader implications.   

• API keys allow for more granular access control and can have different scopes and permissions, while username and password authentication typically apply to the entire user account.