Blackhawk Network has established an information security team that has purpose, direction and rules for maintaining trust. This has been done by assessing our risk and continuous improvement to confidentiality, integrity and availability on our core platforms and systems. Our security program covers all principles and controls of ISO: 27001:2013 Information Security Management.
The Information Security center provides a central location to read about our extensive technical, operational, and organizational information security practices.
Our onboarding process
Ensuring our platforms and applications are best in class
How we protect the information in our network
Identifying security threats against our network
Protecting our physical locations unauthorized access
Steps taken to reduce risk and enable the business to continue during severe business disruptions
Keeping all assets that are accessed by third parties safe and secure
Following the standards and regulations specific to the needs of our customers’ businesses or industries
All new hires are required to complete a level of background checks appropriate to their role, sign a security policy acknowledgement and non-disclosure agreement, and undertake our security training. Only employees that have completed these security procedures are granted physical and logical access to the corporate environments.
All employees in their respective region must pass pre-employment background checks.
Information Security and Compliance Training
Compliance Training must be completed upon hire. Examples of courses assigned based on job role include:
Anti-Bribery and Corruption
Code of Business Conduct and Ethics
Conflict of interest
Information Security and Data Privacy
General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) awareness (as applicable)
In addition, all employees must take a refresher training annually thereafter.
Compliance and Ethics Helpline
Blackhawk Network have a confidential/ anonymous helpline set up for employees to report concerns.
Our core goal is to develop platforms and applications that are best in class when it comes to security. Our applications provide administrative control and visibility features that empower both IT and end users to manage the business and data.
Application security standards and guidelines
The Software Development Life Cycle (SDLC) defines the process by which we create secure applications and the activities that the different teams must perform at differing levels of development. Requirements, design, implementation, testing and deployment.
Security by design
Our engineers perform several different activities to ensure that our products are secure, including:
Ensuring all developers are fully trained to the latest OWASP standards. Delivered by utilizing application security solutions that equips our developers to think and act with a security mindset
Internal security reviews
Regular vulnerability scans and penetration testing
Running bug bounty programs on multiple environments
Peer code reviews
Vulnerability disclosure program
Automated static code analysis
A formal Change Management process has been defined by the Engineering team to ensure that application changes have been authorized prior to implementation into the production environments. Changes are stored in a version control system and are required to go through QA testing procedures to verify that security requirements are met. Successful completion of the QA process leads to the implementation of the change. Our SDLC requires adherence to secure coding guidelines (OWASP) as well as screening of code changes for potential security issues.
Our security team perform automated and manual applications security testing, on a regular basis to identify and patch security vulnerabilities and bugs in our applications. The input from these activities is assessed by security, and priorities are assigned to the items assessed by the security team. Findings and recommendations that result from these assessments are reported to security management, evaluated, tracked and resolved by security engineers.
Our bug bounty program taps into the expertise of the broader security community, providing an incentive for ‘researchers’ to disclose software bugs and centralize reporting streams. This engagement of an external partner provides our security with independent scrutiny of our applications to help keep users safe. We have established a scope for eligible submissions as well as a responsible disclosure policy that promotes the discovery and reporting of security vulnerabilities and increase security. To disclose any vulnerabilities identified Blackhawk Network have a Vulnerability Disclosure Program, these can be submitted to the following email address: firstname.lastname@example.org
Blackhawk Network servers are hosted at premium data centers globally. The data centers are PCI-DSS, SSAE-16, and ISO27001 compliant with first class supporting facilities (HVAC System). Support is provided 24/7, our Network and Security Operations Centre (NSOC) are on hand to respond to security alerts and events. Globally we are supported in the use of AWS and Azure cloud technologies within the respective geo-locations to ensure data is secure at rest and in transit.
All assets have defined owners, security classification and purpose.
Direct access to infrastructure, networks and data is minimized to the greatest extent possible. Direct access to production resources is strictly restricted to engineers requiring access and requires senior management approval, strong MFA, and is subject to audit and review.
Our network security and monitoring posture is designed to provide multiple layers of protection
and defense. Blackhawk Network employs industry-standard protection – including firewalls, network vulnerability scanning, network security monitoring, and IDS systems to ensure eligible ad non-malicious traffic can reach our infrastructure. Our infrastructure is monitored 24/7 using our Network and
Security Operations Centre (NSOC).
We have proactive and detective capabilities using the latest security monitoring tools within our Network and Security Operations Centre (NSOC). With a team of security analyst identifying and triaging security threats against our global network, we monitor all endpoints connected to the Blackhawk Network.
Our Security Operations Center maintains an incident response program. The program defines incidents in classifications and are triaged. The incident response analyst assesses the threat of all vulnerabilities and security incidents and establishes remediation and mitigations for all events.
Security logs are retained and consolidated using a SIEM solution for proactive threat management. Access to the logs is strictly controlled only accessible to the Security Team.
Physical security is an important part of our security strategy, we are committed to ensuring all our physical locations globally are secure and safe working environments.
All global locations have a security program that manages visitors, building entrances, CCTV and office security. All employees have access cards and identification badges.
Physical access to datacenter facilities where production systems reside is strictly restricted to employees authorized to do so by Security and Technology, to perform their job functions. Any individuals requiring additional access are granted through explicit approval by management. For employees to gain access they are required to provide photographic identification.
Blackhawk Network leverages AWS and Azure datacenters for production systems globally. AWS and Azure follow industry best practices and complies with many global standards.
Blackhawk Network has established a Business Continuity and Disaster Recovery Program (BC/DR Program) to reduce the risk of severe business disruptions. The program establishes plans to manage these incidents in advance and enables business to continue as effectively as possible and return to normal operations promptly after a disruption.
Blackhawk’s BC/DR Program aligns with ISO 22301:2012 and ISO 27001:2013 and considers other relevant frameworks. Our BC/DR Program accounts for unavailability of the following critical assets, regardless of the event that causes the disruption:
Unavailability of staff
Unavailability of technology
Unavailability of facilities
Unavailability of third parties
The BC/DR program includes:
Business impact assessments (BIA)
Corporate Incident Response and Crisis Communication Plan
Redundant communication, such as satellite devices
Local Business Continuity Plans
Disaster Recovery Plans for technology and business processes
Plan testing/ exercising
Annual review of the BC/DR strategy
Blackhawk’s Disaster Recovery requirements enable current disaster recovery plans for the technology supporting our critical business elements. The relevant technology teams document and review DR plans annually, with selected elements tested at least annually based on their impact analysis.
Blackhawk’s technology footprint spans co-located data centers including but not limited to Cyxtera, Sungard, Digital Realty and cloud providers such as AWS and Azure. The hybrid architecture allows us to remain resilient globally even if one location becomes unavailable. Our physical and cloud datacenters span multiple geographic regions and availability zones, which allow Blackhawk Network technology to remain resilient in the event of most failure modes, including natural disasters or system failures.
Business continuity and disaster recovery plans are tested at planned intervals and upon significant organizational or environmental changes.
Managing visibility into the supply chain is important. Blackhawk Network procurement is performed through a third-party SaaS-based procure-to-pay (P2P) supplier information management (SIM) portal.
Blackhawk Network business relationship owners, answer questions regarding the products/ services and the vendor will be placed into a Tier ranking. The vendor management program requires specific documentation and assessments based on the ranking (Tier 0 - Critical, Tier 1 - High, Tier 2 – Medium, and Tier 3 - Low) due to risk.
On going monitoring/ Due diligence
Once a relationship is established Blackhawk Network periodically reviews security concerns for existing third parties. The program considers the type of product/ service offered, access and classification of data being accessed (if any), and reviews the controls of protection, and legal/ regulatory requirements.
There are many different compliance standards and regulations that may apply to your organization. Our approach is to combine the most accepted standards with compliance measures geared to the specific needs of our customers’ businesses or industries.
Blackhawk Network is a Payment Card Industry Data Security Standard (PCI DSS) compliant processor. The PCI Attestation of Compliance (AOC) for our compliance status is available upon request.
ISO: 27001:2013 Information Security Management System (ISMS)
ISO 27001 is recognized as the premier information security management system (ISMS) standard around the world. The standard also leverages the security best practices detailed in ISO 27002. To be worthy of your trust, we’re continually and comprehensively managing our physical, technical, and legal controls at Blackhawk Network.
ISO: 27701:2019 Privacy Information Management System (PIMS)
ISO/IEC 27701 is a privacy extension to ISO/IEC 27001 Information Security Management and ISO/IEC 27002 Security Controls. An international management system standard, it provides guidance on the protection of privacy, including how organizations should manage personal information, and assists in demonstrating compliance with privacy regulations around the world.
The SOC 2 report provides customers with a detailed level of controls-based assurance, covering all five Trust Service Principles of Security, Confidentiality, Processing Integrity, Availability, and Privacy. The SOC 2 report includes a detailed description of Business Systems processes and more than 100 controls in place to protect your data. In addition to our independent third-party auditor’s opinion on the effective design and operation of our controls, the report includes the auditor’s test procedures and results for each control.
Cloud Star Alliance (CSA Star)
The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that offers a security assurance program for cloud services, thereby helping users assess the security posture of cloud providers they currently use or are considering contracting with. Blackhawk Network and Hawk Incentives have received the CSA STAR Certification. The Self-Assessment is a rigorous survey based on CSA’s Consensus Assessments Initiative Questionnaire (CAIQ), which aligns with the CCM, and provides answers to almost 300 questions a cloud customer or a cloud security auditor may wish to ask.
Cyber Essentials (UK only)
Cyber Essentials is a cyber security standard introduced by the UK government that aims to
provide organizations, with pragmatic and cost-effective protection against the most common cyber security threats.
HIPAA/HITECH (US only)
Certain of the Blackhawk Network systems and services are compliant with the requirements of the US HIPAA and HITECH regulations for the processing of electronic Personal Health Information records. Use of those services by a HIPAA Covered Entity must be explicitly contracted for and is subject to the execution of a Business Associate Agreement governing the organizational and technical controls applicable to the processing of that data. The relevant Blackhawk Network systems are independently audited on a recurring basis and documentation made available when appropriate.