Built to protect every transaction.

Your customers' card data flows through our systems thousands of times a day. Every layer — from the chip reader in their hand to the deposit that lands in your account — is designed to be impossible to compromise. Here's how we do it.

PCI-DSS
Level 1 compliantAnnually audited & certified
AES-256
Encryption at restEnd-to-end key isolation
P2PE
Point-to-pointFrom card swipe to settlement
24/7
Threat monitoringSOC with real human eyes
Compliance & Standards

The standards we hold ourselves to.

Real third-party certifications and regulatory regimes — not "industry-leading" marketing language. Each can be independently verified through its issuing body.

PCI-DSS Level 1

PCI Security Standards Council

The highest tier of Payment Card Industry compliance, required of processors handling 6M+ card transactions annually. Validated by a Qualified Security Assessor annually.

EMV Compliant

EMVCo

All Clover terminals supplied through Great POS are EMV-certified for chip and contactless transactions. Liability for fraudulent card-present transactions shifts away from compliant merchants.

Interac Certified

Interac Corp.

Certified processor for Interac Debit, Interac Flash, and Interac e-Transfer transactions. Compliance verified by Interac's certification program before any device is deployed.

FINTRAC Registered

Government of Canada

Registered with the Financial Transactions and Reports Analysis Centre of Canada. Our AML program follows the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.

PIPEDA Compliant

Office of the Privacy Commissioner of Canada

Personal information handling fully aligned with Canada's federal privacy law (and Québec Law 25, AB PIPA, BC PIPA where applicable). Audited annually by external counsel.

SOC 2 Type II

AICPA / Independent Auditor

Annual SOC 2 Type II audit covering security, availability, and confidentiality controls across our operations. Reports available under NDA to qualified prospects and partners.

Defense in Depth

Three layers. Independent. Together.

No single safeguard secures payment data. Our protection happens at every layer — so if one is ever compromised, the others still hold.

Layer 01 · Device

At the card reader, before it leaves your counter.

Card data is encrypted the instant it's read from the chip, magstripe, or contactless surface — using hardware-level encryption inside each Clover terminal.

  • Tamper-resistant hardware (TRSM) on every device
  • Format-preserving encryption applied at swipe
  • Card data never stored on the device after the sale
Layer 02 · Transit

While it travels through the network.

Encrypted card data moves directly from the device to our processor over private payment networks — never through your Wi-Fi router or any system you control.

  • TLS 1.3 minimum on all connections
  • Point-to-Point Encryption (P2PE) end-to-end
  • Certificate pinning prevents man-in-the-middle attacks
Layer 03 · Storage

At rest in our backend systems.

Sensitive data is replaced with tokens the moment it enters our environment. Even our own engineers can't decrypt card numbers — only the processor can, and only when authorizing a transaction.

  • Card data tokenization — never raw PAN at rest
  • AES-256 encryption for all persistent data
  • HSM-managed encryption keys with hardware isolation
Data Lifecycle

What happens to a card after the customer taps it.

Six steps from the moment of payment to money landing in your bank account. At every step, the card data is either encrypted, tokenized, or completely absent from our systems.

01

Customer taps, dips, or swipes

~50ms

Card data is read inside the Clover terminal's tamper-resistant hardware. The chip, magstripe, or contactless interface produces an encrypted payload — the raw card number never exists in plaintext outside the chip.

02

Encryption applied on-device

AES-256

Before the card data leaves the terminal, it's encrypted with a key that exists only inside the device and our payment processor. Even if someone intercepted the next step, all they'd see is ciphertext.

03

Transmitted over secure private network

TLS 1.3

The encrypted payload travels over a private payment network directly to our processing partner. It doesn't touch your local Wi-Fi router's memory, doesn't pass through any PC or Mac, and doesn't transit the public internet.

04

Authorized by the card network

~600ms

The card-issuing bank checks the funds, fraud signals, and limits — and approves or declines. Both the issuer and the card network operate inside their own PCI-DSS environments. We never see the unencrypted card number at this step.

05

Tokenized in our system

Tokenization

The processor sends back a token — a randomized string — that uniquely identifies the transaction without revealing card data. That token is what we store. Even with full database access, attackers can't reconstruct the card number from it.

06

Settled to your bank

Next-day

The token references the original encrypted transaction during the daily settlement batch. Funds land in your designated bank account next business day. Card data never touches your business systems at any point.

Operational Security

Six pillars that keep the system honest.

Encryption is necessary but not sufficient. Real security depends on the people, processes, and policies around the technology.

Encryption everywhere

AES-256 for data at rest, TLS 1.3 in transit, HSM-managed keys. Card data is never in plaintext at any persistent layer.

Tokenization

Raw card numbers are replaced with one-way tokens. Even our own staff with full database access can't reverse a token to recover a card number.

Real-time fraud detection

Machine-learning models score every transaction against historical patterns. Velocity checks, geo anomalies, and BIN-level intelligence happen at the transaction level.

Least-privilege access

Every internal system uses role-based access control. Even engineering doesn't get production access by default — and any production access is logged, time-bound, and approved.

Annual training & audits

Every employee completes security training annually. Independent auditors validate our PCI compliance, SOC 2 controls, and incident response procedures yearly.

Incident response, 24/7

A dedicated team is on call around the clock. Any security event triggers a documented response plan with strict notification timelines — including notifying you within 24 hours of any breach affecting your data.

What We Don't Do

Five things you'll never find here.

Sometimes security is best understood by what's deliberately missing from the system.

01
We never store raw card numbers in our databases. Even with a complete data breach, attackers wouldn't find card numbers — only tokens that are useless outside our processor's environment.
02
We never share customer data with marketing or ad networks. Your customer transaction data is not a data product. Period. It's not anonymized and sold, it's not used to train models for other clients, it's not shared with any third party for any commercial purpose.
03
We never grant blanket production access to any employee. All production-system access is time-bound, logged, justified, and approved. No engineer — including our CTO — has standing access to live merchant data.
04
We never use offshore call centres for support. Every Great POS support team member is based in Canada and has signed Canadian-jurisdiction confidentiality and PIPEDA agreements. Your data doesn't cross borders to be handled.
05
We never hide a security incident. If something affects you, you'll hear from us — fast, completely, and without spin. Our incident response protocol commits to notification within 24 hours of confirming any breach affecting merchant data.
Found a Vulnerability?

We want to hear about it.

Researchers and security professionals make the entire payment ecosystem safer. If you've found something, here's how to tell us.

Responsible disclosure, no drama.

Submit findings privately, give us reasonable time to respond, and we'll credit your work publicly once the issue is resolved (with your permission). We don't pursue good-faith researchers.

How to submit a finding

Email your detailed report to security@greatpos.com — including the affected component, reproduction steps, and impact assessment. Encrypt with our PGP key (available on request) if the issue is sensitive.

We respond within 1 business day. Confirmed receipt and initial triage within 24 hours.
Critical issues get fast remediation. Patched within 72 hours for confirmed critical vulnerabilities.
We credit you publicly. Researcher acknowledgments page maintained at greatpos.ca/security/researchers.
Safe harbor. No legal action against good-faith researchers following our policy.
security@greatpos.com
Security FAQ

Questions about security.

The questions IT teams, compliance officers, and concerned business owners ask us most.

PCI-DSS Level 1 is the highest tier of Payment Card Industry compliance, required of processors that handle more than 6 million card transactions per year. Practically, it means we undergo an annual on-site audit by a Qualified Security Assessor (QSA), maintain detailed access controls, encrypt all stored cardholder data, run quarterly external vulnerability scans, and remediate any findings on a strict timeline. For you, the practical benefit is that you don't have to worry about whether your processor meets the standard — and your own PCI compliance burden (as a Merchant) is reduced because the card data never reaches your systems.

If a breach occurs because of an issue in our systems — and you've followed the security obligations in your Merchant Services Agreement — you're not liable for the breach itself. Card network fines and forensic costs for processor-side breaches fall on us, not on you. Where liability does fall to merchants is when their own systems are the entry point (e.g., a compromised employee credential, an outdated POS device kept past its end-of-life date, or a skimmer attached to a terminal). That's why we cover Merchant obligations clearly in our Terms of Service.

Merchant data — including transaction records, account details, and customer information — is stored in Canadian data centres operated by our infrastructure partners and our processor. Backup copies are stored in geographically separate Canadian data centres for disaster recovery. Card data itself is held in our processor's PCI-DSS Level 1 environment, also located in Canada. We do not store any merchant or cardholder data outside Canadian jurisdiction.

Four ways. First, the principle of least privilege — no employee has access they don't actively need for their job. Second, mandatory background checks on all new hires and re-verification for anyone in privileged roles. Third, all production access is time-bound, logged, justified in writing, and approved by a separate manager. Fourth, full audit logs are reviewed weekly. We also conduct annual security training and run simulated phishing exercises quarterly.

The Clover system is designed so that even compromised employee credentials don't expose card data — because the card data isn't stored in your environment to begin with. The worst an internal actor could do is process unauthorized refunds or transactions, but every action is logged and traceable to a specific user. If you notify us of suspected fraud, we can pull a complete audit trail and reverse fraudulent transactions where eligible. We'll also help you respond and tighten your internal controls.

Yes, our SOC 2 Type II report is available to qualified prospects, customers, and partners under a mutual non-disclosure agreement. Email security@greatpos.com from your work address with the request. We typically turn around an NDA and provide the report within 3 business days. We can also share our PCI-DSS Attestation of Compliance (AoC) without an NDA.

For active security concerns — suspected device tampering, suspicious transactions, phishing attempts impersonating us — call us at (866) 667-1377 immediately, then follow up with details to security@greatpos.com. For ongoing operational status of our services, check our live System Status page which shows real-time service health and any open incidents.

Security First

Built for the businesses that can't afford a breach.

If security is non-negotiable for your business, you're already thinking the way we build. Let's talk about what running on a properly-secured payment stack looks like for your operation.

Talk to Our Team View Live Status