The Coupa Business Spend Management (BSM) Platform is delivered from the ground up as an industry leading, cloud-based solution. For those BSM customers that require the full complement of credit card data safeguards, certified by the Payment Card Industry Data Security Standards (PCI DSS), Coupa offers a fully compliant, PCI cloud environment to support those needs. By implementing and maintaining the PCI DSS, Coupa is compliant with industry best practices for maintaining the confidentiality of customer credit card information hosted on the platform.
Coupa’s secure cloud infrastructure has been certified by a Qualified Security Assessor (QSA), earning Coupa PCI Certification and placement on the list of Certified Service Providers. This certification and the Attestation of Compliance (AOC) was achieved through the demonstrated implementation and operationalization of PCI Security Standards:
- Building and maintaining a secure network
- Protecting cardholder data
- Maintaining a vulnerability management program
- Implementing strong access control measures
- Regularly monitoring and testing networks
- Maintaining an information security policy
Key Use Cases
Situations where Coupa can store and maintain payment card information, including payment cards in Coupa Procurement. Coupa can also integrate personal and corporate credit card data feeds to facilitate the automated creation of expense line items within Coupa Expenses. In all cases, Coupa receives, stores, and transmits credit card data in a secure fashion, as dictated by the PCI DSS.
Coupa Cardholder Data Environment
The Coupa Cardholder Data Environment (CDE) is a designated, secured region within the Coupa Cloud infrastructure that receives, stores, and transmits cardholder data in support of the above-named, financial product workflows. All aspects of the Coupa system that connect to the Coupa CDE are evaluated and included in the PCI assessment.
Per the PCI DSS, Coupa has successfully implemented the PCI requirements across all Coupa CDE network components (firewalls, switches, routers, access points, network appliances, security appliances, etc.), servers (web servers, application servers, database servers, authentication servers, mail servers, proxy servers, network time protocol, domain name servers, etc.), internal and external applications, virtual components, and applicable third party systems as part of the qualification.
Coupa’s CDEs are located in the US and EU regions.
Additional technical safeguards have been put in place to protect cardholder data in the PCI Cloud. Rigorous access controls are in place to help ensure that only appropriate parties have access to Coupa systems. The Coupa platform secures data both in transit and at rest.
Data in Transit Encryption
Coupa encrypts data in transit to prevent it from being intercepted and compromised. HTTP data is encrypted before being transferred between the server and the end user through web browser, mobile app, email, and API calls. Transfer of data between servers and storage within the CDE is also encrypted. File data transfers use SFTP (Secure FTP) with the additional option of PGP file encryption. Opportunistic TLS is utilized for email communications in the PCI Cloud. As an additional PCI security measure, TLS 1.0 is disabled.
Data at Rest Encryption
In general, Coupa employs multiple strategies for encrypting data at rest. Credit card data entered into specifically identified fields designated by Coupa are encrypted on the application server side prior to being saved in the database. File attachments are encrypted both on the application server side prior to being saved, and again on the server side prior to being saved. The Coupa mobile app is encrypted to protect data at rest.
Coupa uses strong encryption methods to ensure credit card data is protected against compromise.
- Encryption algorithms: Coupa uses PGP to encrypt files and AES 256 to encrypt application data. In addition, files are also encrypted using Amazon Web Services (AWS) S3 native encryption.
- Key Management: Coupa uses the AWS key management service to manage encryption keys. Each Coupa customer is assigned unique encryption keys.
Coupa uses AWS infrastructure to provide the computing, network and storage services needed to run our financial applications. AWS is a well-known provider which has appropriate controls in place for facility security, access control, and contingency operations. In addition, Coupa employs security provisions for its own facilities, including badge access control, workstation security, backups, and workstation reuse.
Coupa has implemented business policies and procedures to control access to all secure systems. Coupa’s VP of Security and Compliance is responsible for the development and implementation of these policies and procedures. Access to Coupa systems is only given to US personnel after a credit and criminal background check is completed. Termination procedures ensure that access is terminated appropriately. Security incident response and breach notification procedures ensure that any incidents are properly reported to supervisors, customers, and regulatory authorities as required by law. Contingency plans ensure availability of data in case of a disaster.
PCI Compliance Reports
A copy of the current Coupa PCI Attestation of Compliance can be downloaded from the Coupa Compliance Reports Request Portal.