Security, Compliance and Data Protection

At Edenred, technology is an important part of our business. As we continue to improve and expand our products and services, our security procedures are more important than ever.

PCI and SOC 2 Type II

Edenred complies with the highest standards of data protection in the world.


The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the card brands.

Edenred is a PCI-certificated company with the highest standard of controls and certified procedures for cardholder data.

SOC 2 Type II

The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data.

Edenred operations and procedures are audited regularly to ensure Edenred meets and exceeds all standards expected of service providers.

Edenred operates in compliance with SOC 2 to ensure your data is protected, available, and secure.

Edenred complies with the California Consumer Privacy Act and GDPL

Learn more about Edenred’s corporate security practices


Risk Assessment

Risk Assessment and Management

At least every 365 days a formal, documented IT Risk Assessment is conducted considering factors that could affect the confidentiality, availability, and integrity of Edenred information assets and systems as well as Edenred’s own and Edenred customers’ data. Both internal and external threats are considered.

Physical Environmental Security

Edenred equipment is installed in suitably protected areas with minimum indication of their purpose, with no obvious signs, outside or inside the building identifying the presence of information processing activities.

server room
sensitive information

Access Control

Access to specific applications, systems, components, and technology infrastructure is only granted to personnel with a legitimate need. Privileges assigned are limited to the minimum required to perform assigned duties and in accordance with the Information Classification Policy. Edenred may further limit access (i.e., transaction dollar and frequency limits, pre-approval of critical function assignments, etc.). Access not explicitly authorized is forbidden.

Asset Management

Edenred develops, documents, and maintains an inventory of information system components that:

  • Accurately reflects the current information system.
  • Is consistent with the authorization boundary of the information system.
  • Is at the level of granularity deemed necessary for tracking and reporting.
  • Includes manufacturer, model/type, serial number, version number, location (i.e., physical location and logical position within the information system architecture), and ownership.
  • Is available for review and audit by designated organizational officials.


Third Party Management

Edenred Senior Management, with input as appropriate from System Owners and IT Management exercises appropriate due diligence in the selection of the service provider.


Business Continuity and Disaster Recovery

Edenred recognizes that a significant threat exists to its ability to continue normal operations following a serious unexpected disruptive incident. A high level of dependency upon its automated systems and processes poses risks that need to be mitigated. Edenred further recognizes that it needs to recover from disruptive incidents in the minimum possible time and that this necessity to ensure a speedy restoration of services requires a significant level of advance planning and preparation.

Network Icon Network Device Management

Edenred IT Staff owns and is responsible for the network infrastructure, including all developmental activities as well as enhancements to the infrastructure. Designated employees of Edenred IT Staff are the only individuals authorized to connect or disconnect network devices to the network. Users do not extend or re-transmit network services in any way.  This means users do not install routers, switches, hubs, or wireless access points to the network without Edenred IT Management approval.

To properly diagnose network problems, avoid duplicate addresses, etc. Edenred IT Staff are responsible for and administer connection-related protocols for all devices on the network. In addition to registering all workstations, any devices that connect to the network such as laptops, printers, hubs, or instruments are registered. Conversely, Edenred IT Staff is aware when networked devices are removed from service so their registrations can be cancelled.

Software Development Life Cycle Procedure

sensitive information

Managing Sensitive information in the System

  • During the project initiation phase, Edenred identifies all the sensitive information e.g. Credit card information, ACH information, Debit card information.
  • Edenred establishes processes to store the sensitive data encrypted.
  • Edenred establish processes to securely transmit sensitive information.
  • Edenred establishes processes to grant access to secure information.
  • Edenred’s Information Security Manager and the Chief Information Officer review/approve all processes.

Code Compilation

Code is compiled using .NET framework and set the warning level to the Highest.

Training Session

Security Awareness and Training

The security and stability of the information systems are vital to daily operations. An awareness and training program for all staff is critical to achieving and maintaining an effective information security capability. Information security awareness, training, and education improves employee behavior and accountability, and reduces the risk of unauthorized activity.

All employees and contractors complete Information Security training upon hire and subsequently at least annually. The Information Security training required for all employees and contractors covers identification and reporting of suspicious activities relative to incident response.

All employees sign an agreement stating that they understand all Edenred Information Security Policies including the Edenred Acceptable Use Policy and that they shall abide by them. This training is be completed prior to any user being granted access to any information system. Users undergo security awareness training prior to be granted access in any capacity to PII, PHI and/or CHD.

All information security-training activities are adequately documented, and individual training records are retained for at least three (3) years.

Information Protection

Information Protection and Flow

Information systems storing, processing, or serving confidential data as defined by the Information Classification, Labeling and Handling Policy are secured with logical and physical access controls.  Physical access controls are used to restrict access to hardcopy internal and confidential information.

Logical access to electronic information are granted only with written approval by the employee’s are used to restrict physical access to information systems storing confidential information including restricting physical access to the office facility itself.

Hardcopy information classified as confidential are protected by physical access controls for the office facility. Confidential information are stored in locked cabinets when not in use especially outside of office hours. Locked offices do not provide sufficient protection as cleaning and/or facilities maintenance staff may have access locked offices. Confidential information is not copied or faxed from equipment not owned and/or operated by Edenred.


Vulnerability and Patch Management

Due to the importance of the confidentiality, integrity, and availability of Edenred systems and information, all Edenred IT staff are proactive in implementing security measures designed to reduce any risks that might result in impaired productivity, increased costs, or damage to its business reputation due to malfunctioning system components or system components with security vulnerabilities.  To ensure the security of the network and protect the Edenred’s data, all computers and network devices are maintained at vendor supported levels and critical security patches are applied in a timely manner consistent with an assessment of risk