Hyp Website

Network Security at Hyp

We've built our network with security as the foundation, using multiple layers of protection to keep cardholder data safe. Our approach is based on the principle that no network traffic should be trusted by default – everything must be verified and authorized.

Network security overview

Hyp's network security follows a zero-trust architecture where all connections must be authenticated, authorized, and encrypted regardless of origin. The infrastructure uses defense-in-depth with multiple security layers, including dedicated cardholder data environment (CDE) segments, VLANs, firewalls, and software-defined networking. All systems are hardened according to industry standards, with vendor defaults changed, unnecessary services removed, and continuous monitoring for threats and configuration drift.

Security controls and monitoring

The platform implements comprehensive security controls, including stateful inspection firewalls with least-privilege rules, quarterly vulnerability scans, monthly internal assessments, and annual penetration testing. Real-time intrusion detection and prevention systems monitor all network segments, supported by 24/7 security operations center coverage. Patch management ensures critical updates are deployed within 30 days, with emergency patches available within 24 hours for zero-day vulnerabilities.

Supported cipher suites

We maintain strong encryption standards across all network communications using carefully selected cipher suites:

TLS 1.3 (Preferred):

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • TLS_AES_128_GCM_SHA256

TLS 1.2 (Supported):

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_RSA_WITH_AES_256_GCM_SHA384

  • TLS_RSA_WITH_AES_128_GCM_SHA256

  • TLS_RSA_WITH_AES_256_CBC_SHA256

  • TLS_RSA_WITH_AES_128_CBC_SHA256

These cipher suites are regularly updated based on security research and industry recommendations. We recommend matching your configuration to our supported list for optimal compatibility and security.

Shared responsibility model

Security responsibilities vary by integration type:

  • SAQ A merchants have zero network security responsibilities, as Hyp handles everything.

  • SAQ A-EP merchants are responsible for managing their web environment that collects card data, while Hyp covers all other controls.

  • SAQ D merchants and Hyp share most security responsibilities, with coordinated management across both environments.

Shared Responsibility Matrix: The responsibilities for each side are detailed in the shared responsibility matrix, available upon request from your Hyp representative. Key shared controls include coordinated vulnerability remediation, incident response, and compliance reporting.

PreviousData PrivacyNextPayment Page Security

Last updated

Was this helpful?