Security and control
Information security is a core company value and is embedded into culture and operations
We deliver security with a disciplined, proactive approach that evolves continuously to manage information risks effectively.
Protecting sensitive information is more than compliance—it is a core obligation to our customers, employees, and stakeholders. By prioritizing ongoing training, leveraging advanced security technologies, executing regular risk assessments, and upholding rigorous incident response capabilities, we deliver a resilient and proactive approach to cyber risk. This commitment safeguards our organization and the trust placed in us.
Our approach to managing information security risks.
Executive Management
The Information Security Committee (ISC)—co-chaired by our Founder CEO, Tony Ferguson, and our Head of Information Services—oversees the ongoing assessment of internal and external factors that may impact our business or our customers. The Committee sets strategic objectives to address emerging risks and evaluates industry developments, regulatory changes, and current threat intelligence.
Security Architecture
Our architecture philosophy is built on defense-in-depth, proactive threat mitigation, continuous monitoring, and a risk-based approach to protecting our data and systems. By implementing robust security controls, aligning with industry best practices, and fostering a culture of security awareness, we ensure the confidentiality, integrity, and availability of our critical information assets.
Data Protection
Our structured, proactive framework incorporates strong internal data protection measures, including access controls, encryption, network segmentation, traffic inspection, and secure storage. This is reinforced by continuous monitoring, the collection and secure retention of audit and access logs, regular patching, and comprehensive threat-protection and vulnerability-management processes.
Incident Preparation
Throughout the year, we conduct cyber-attack simulations to strengthen our incident-response capabilities. These exercises, combined with annual business-continuity, disaster-recovery, and crisis-management tests, ensure our teams are prepared for the diverse scenarios a cyber-attack may present.
Internal Controls
We maintain strong cybersecurity awareness across the organization by running regular phishing-resilience campaigns and providing employees with the knowledge to identify and report suspicious activity. These initiatives complement our mandatory security and data-protection training undertaken by all employees and contractors.
We manage cybersecurity-related risks through our Enterprise Risk Framework, aligned with the ISO 31000 Risk Management standard.
Our Information Security Risk Management Framework provides a structured approach for assessing risks and related controls. It systematically identifies potential threats and vulnerabilities, evaluates their impact on our assets, and defines the appropriate risk-response strategies.
We also align our practices with globally recognized security frameworks and standards, including the NIST Cybersecurity Framework, OWASP, the ACSC Essential Eight, and guidance from the Center for Internet Security (CIS), to provide additional assurance to our customers.
Industry Standards Alignment
PCI DSS
A globally recognized framework designed to safeguard payment card information. It applies to organizations that store, process, or transmit cardholder data and outlines a comprehensive set of technical and operational security requirements. By enforcing strong controls across areas such as network security, encryption, access management, vulnerability handling, and continuous monitoring, PCI DSS helps organizations reduce the risk of payment fraud and maintain a secure environment for cardholder data.
SOC 2
The System and Organization Controls 2 assurance standard that evaluates how service providers manage and protect customer data across five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. Unlike prescriptive frameworks, SOC 2 provides flexibility for organizations to design controls tailored to their environment while still demonstrating robust internal governance. Independent auditor assessments provide customers with clear, trusted assurance that data is managed securely and in accordance with industry-leading expectations
Unlock industry-leading rebates that turn routine payments into a new profit center.
Uninterrupted Payments. Real-Time Insight. Uncompromised Control.
Penny International Inc
6543 South Las Vegas Boulevard
Las Vegas, NV 89119
USA
© Penny International Inc 2025
Penny International Inc is a technology services provider, not a bank.
Penny International Inc. is a company incorporated in Delaware, United States of America.