Table of Contents
Blackhawk Network Holdings, Inc., together with its subsidiaries (Blackhawk), is a leading prepaid payment network utilizing proprietary technology to offer a broad range of prepaid gift and telecom cards, in physical and electronic forms, as well as related prepaid products and payment services in the United States and 26 other countries and can deliver solutions in over 100 countries. Our product offerings include single-use gift cards; loyalty, incentive and reward products and services; prepaid telecom products and prepaid financial services products, including general-purpose reloadable (GPR) cards, and our reload network (collectively, prepaid products). We offer gift cards from leading consumer brands (known as closed loop) as well as branded gift and incentive cards from leading payment network card associations such as American Express, Discover, MasterCard and Visa (known as open loop) and prepaid telecom products offered by prepaid wireless telecom carriers
Security Organization and Global Program
Blackhawk Network has established an information security team that has purpose, direction and rules for maintaining trust. This has been done by assessing our risk and continuous improvement to confidentiality, integrity and availability on our core platforms and systems. Our security program covers all principles and controls of ISO: 27001:2013 Information Security Management, which we have been certified since 2017. We have an array of programs that cover Asset Management, Cryptography, Physical Security, Product Security, Cloud and Network Security, Compliance, Vendor Management, Vulnerability Management, as well as continuous Security Monitoring and Incident Response.
Upon hire, each Blackhawk Network employee is required to complete a background check, sign a security policy acknowledgement and non-disclosure agreement, and undertake our security training. Only employees that have completed these security procedures are granted physical and logical access to the corporate environments.
[a] Background checks
All employees in their respective region must pass the background checks.
[b] Infosec & Compliance Training
All employees upon hire, must complete the Compliance Training during the onboarding process. The course list includes:
Anti-Bribery and Corruption
Code of Business Conduct and Ethics
Conflict of interest
Information Security and Data Privacy
General Data Protection Regulation (GDPR)
In addition, all employees must take the refresher training annually thereafter.
[c] Compliance and Ethics Helpline
Blackhawk Network have a confidential/ anonymous helpline set up for employees.
Our core goal is to develop platforms and applications that are best in class when it comes to security. Our applications provide administrative control and visibility features that empower both IT and end users to manage the business and data.
[a] Application security standards and guidelines
The Software Development Life Cycle (SDLC) defines the process by which we create secure applications and the activities that the different teams must perform at differing levels of development. Requirements, design, implementation, testing and deployment.
[b] Security by design
Our engineers perform several different activities to ensure that our products are secure, including:
Ensuring all developers are fully trained to the latest OWASP standards. Delivered by utilizing application security solutions that equips our developers to think and act with a security mindset
Internal security reviews
Regular vulnerability scans and penetration testing
Running bug bounty programs on multiple environments
Peer code reviews
Vulnerability disclosure program
Automated static code analysis
[c] Change management
A formal Change Management process has been defined by the Engineering team to ensure that application changes have been authorized prior to implementation into the production environments. Changes are stored in a version control system and are required to go through QA testing procedures to verify that security requirements are met. Successful completion of the QA process leads to the implementation of the change. Our SDLC requires adherence to secure coding guidelines (OWASP) as well as screening of code changes for potential security issues.
(d) Penetration testing
Our security team perform automated and manual applications security testing, on a regular basis to identify and patch security vulnerabilities and bugs in our applications. The input from these activities is assessed by security, and priorities are assigned to the items assessed by the security team. Findings and recommendations that result from these assessments are reported to security management, evaluated, tracked and resolved by security engineers.
[e] Bug bounties
Our bug bounty program taps into the expertise of the broader security community. Our bug bounty program provides an incentive for ‘researchers’ to disclose software bugs and centralize reporting streams. This engagement of an external partner provides our security with independent scrutiny of our applications to help keep users safe. We have established a scope for eligible submissions as well as a responsible disclosure policy that promotes the discovery and reporting of security vulnerabilities and increase security.
Security bugs can be reported to firstname.lastname@example.org
Cloud and Network Infrastructure Security
Blackhawk Network servers are hosted at premium data centers globally. The data centers are PCI-DSS, SSAE-16, and ISO27001 compliant with first class supporting facilities (HVAC). Support is provided 24/7, our Network and Security Operations Centre (NSOC) are on hand to respond to security alerts and events. Globally we are supported in the use of AWS and Azure cloud technologies within the respective geo-locations to ensure data is secure at rest and in transit.
[a] Asset management
All assets have defined owners, security classification and purpose.
[b] Infrastructure management
Direct access to infrastructure, networks, data is minimized to the most extreme level possible. Direct access to production resources is strictly restricted to engineers requiring access and requires senior management approval, strong MFA.
[c] Network monitoring
Our network security and monitoring posture is designed to provide multiple layers of protection and defense. Blackhawk Network employs industry-standard protection – including firewalls, network vulnerability scanning, network security monitoring, and IDS systems to ensure eligible ad non-malicious traffic can reach our infrastructure. Our infrastructure is monitored 24/7 using our Network and Security Operations Centre (NSOC).
We have proactive and detective capabilities using the latest security monitoring tools within our Network and Security Operations Centre (NSOC). With a team of security analyst identifying and triaging security threats against our global network, we monitor all endpoints connected to the Blackhawk Network.
[a] Incident response
Our Security Operations Center maintains an incident response program. The program defines incidents in classifications and are triaged. The incident response analyst assesses the threat of all vulnerabilities and security incidents and establishes remediation and mitigations for all events.
[b] Log retention
Security logs are retained and consolidated using a SIEM solution for proactive threat management. Access to the logs is strictly controlled only accessible to the Security Team.
Physical security is an important part of our security strategy, we are committed to ensuring all our physical locations globally are secure and safe working environments.
[a] Office security
All global locations have a security program that manages visitors, building entrances, CCTV and office security. All employees have access cards and identification badges.
[b] Datacenter security
Physical access to datacenter facilities where production systems reside is strictly restricted to employees authorized to do so by Security and Technology, to perform their job functions. Any individuals requiring additional access are granted through explicit approval by management. For employees to gain access they are required to provide photographic identification and in some case biometric scan data.
Blackhawk Network leverages AWS and Azure datacenters for production systems globally. AWS and Azure follow industry best practices and complies with many global standards.
Business Continuity & Disaster Recovery
Blackhawk Network has established a Business Continuity and Disaster Recovery Program (BC/DR Program) to reduce the risk of severe business disruptions. The program establishes plans to manage these incidents in advance and enables business to continue as effectively as possible and return to normal operations promptly after a disruption.
Blackhawk’s BC/DR Program aligns with ISO 22301:2012 and ISO 27001:2013 and considers other relevant frameworks. Our BC/DR Program accounts for unavailability of the following critical assets, regardless of the event that causes the disruption:
Unavailability of staff
Unavailability of technology
Unavailability of facilities
Unavailability of third parties
The BC/DR program includes:
Business impact assessments (BIA)
Corporate Incident Response and Crisis Communication Plan
Redundant communication, such as satellite devices
Local Business Continuity Plans
Disaster Recovery Plans for technology and business processes
Plan testing/ exercising
Annual review of the BC/DR strategy
Blackhawk’s Disaster Recovery requirements enable current disaster recovery plans for the technology supporting our critical business elements. The relevant technology teams document and review DR plans annually, with selected elements tested at least annually based on their impact analysis.
Blackhawk’s technology footprint spans co-located data centers such as Cyxtera, Sungard, Digital Realty (to name a few) and cloud providers such as AWS and Azure. The hybrid architecture allows us to remain resilient globally even if one location becomes unavailable. Our physical and cloud datacenters span multiple geographic regions and availability zones, which allow Blackhawk Network technology to remain resilient in the event of most failure modes, including natural disasters or system failures.
Business continuity and disaster recovery plans are tested at planned intervals and upon significant organizational or environmental changes.
Third Party Security
Managing visibility into the supply chain is important. Blackhawk Network procurement is performed through a third-party SaaS-based procure-to-pay (P2P) supplier information management (SIM) portal.
[a] Vendor management
Blackhawk Network business relationship owners, answer questions regarding the products/ services and the vendor will be placed into a Tier ranking. The vendor management program requires specific documentation and assessments based on the ranking (Tier 0 - Critical, Tier 1 - High, Tier 2 – Medium, and Tier 3 - Low) due to risk.
[b] On going monitoring/ Due diligence
Once a relationship is established Blackhawk Network periodically reviews security concerns for existing third parties. The program considers the type of product/ service offered, access and classification of data being accessed (if any), and reviews the controls of protection, and legal/ regulatory requirements.
There are many different compliance standards and regulations that may apply to your organization. Our approach is to combine the most accepted standards with compliance measures geared to the specific needs of our customers’ businesses or industries.
Blackhawk Network is a Payment Card Industry Data Security Standard (PCI DSS) compliant processor. The PCI Report of Compliance (RoC) for our compliance status is available upon request.
[b] ISO: 27001:2013 Information Security Management System (ISMS)
ISO 27001 is recognized as the premier information security management system (ISMS) standard around the world. The standard also leverages the security best practices detailed in ISO 27002. To be worthy of your trust, we’re continually and comprehensively managing our physical, technical, and legal controls at Blackhawk Network.
[c] ISO: 27701:2019 Privacy Information Management System (PIMS)
ISO/IEC 27701 is a privacy extension to ISO/IEC 27001 Information Security Management and ISO/IEC 27002 Security Controls. An international management system standard, it provides guidance on the protection of privacy, including how organizations should manage personal information, and assists in demonstrating compliance with privacy regulations around the world.
The SOC 2 report provides customers with a detailed level of controls-based assurance, covering all five Trust Service Principles of Security, Confidentiality, Processing Integrity, Availability, and Privacy. The SOC 2 report includes a detailed description of Business Systems processes and more than 100 controls in place to protect your data. In addition to our independent third-party auditor’s opinion on the effective design and operation of our controls, the report includes the auditor’s test procedures and results for each control.
[e] Cloud Star Alliance (CSA Star)
The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly-accessible registry that offers a security assurance program for cloud services, thereby helping users assess the security posture of cloud providers they currently use or are considering contracting with. Blackhawk Network and Hawk Incentives have received the CSA STAR Certification. The Self-Assessment is a rigorous survey based on CSA’s Consensus Assessments Initiative Questionnaire (CAIQ), which aligns with the CCM, and provides answers to almost 300 questions a cloud customer or a cloud security auditor may wish to ask.
[f] HIPPA/ HITECH
Blackhawk Network will sign customer agreements who require them to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). Blackhawk Network makes available a third-party assurance report evaluating our controls for the HIPAA/HITECH Security, Privacy, and Breach Notification rules, as well as a mapping of our internal practices and recommendations for customers who are looking to meet the HIPAA/HITECH Security and Privacy Rule requirements with Blackhawk Network.
How We Collect Personal Data
Types of Personal Data We Collect
Purposes and Legitimate Interests for Use of Personal Data
How We Share Personal Data We Collect
Cookies and Tracking
Social Media Widgets
Image Submissions and Public Directories
EU Data Subject Rights
Protecting Children’s Privacy Online
Privacy Shield Certification
[h] EU General Data Protection Regulation (GDPR)
The General Data Protection Regulation 2016/679, or GDPR, is a European Union regulation that marks a significant change to the existing framework for processing personal data of individuals in the EU. The GDPR introduces a series of new or enhanced requirements that will apply to companies like Blackhawk Network which handle personal data. It takes effect on 25 May 2018 and will replace the current EU Directive 95/46 EC, better known as the Data Protection Directive. Like all responsible companies, Blackhawk Network is continuing to build and execute GDPR compliance.
[i] Cyber Essentials (UK only)
Cyber Essentials is a cyber security standard introduced by the UK government that aims to provide organizations, with pragmatic and cost-effective protection against the most common cyber security threats.