Digital cards are not just a more modern version of a plastic card. They are part of a customer account, loyalty program, access system, or brand communication channel. And because banks, insurance companies, and retail chains work with them, the security of the entire platform must meet the demanding requirements of various industries.

The PassMachine platform has been operating since 2020 and is currently used by over 220 clients in 30 countries, from cafes to insurance companies and banks, to large retail chains. With such a scope and diversity of clients, security is not just an optional extra. It has been part of the platform from day one.

PassMachine operates according to the principles of a secure software development lifecycle (Secure SDLC). Security rules and control mechanisms are incorporated into every phase, from design and development to daily operations.

Static code analysis, penetration testing, and infrastructure security reviews are conducted annually. We also test communication between individual servers and systems to ensure that a potential breach in one part does not allow movement into other layers. For every significant infrastructure change, the regular cycle is not waited for, and a security audit is performed immediately.

All tests are carried out by a certified external company specializing in cybersecurity. Independent verification is the standard, not the exception.

Security must function across the entire environment, not just within the application itself. Therefore, we address protection on multiple layers simultaneously.

The platform includes application firewalls, Anti-DDoS protection against server overload, security threat detection, and antispam. Operations are monitored continuously 24/7. Databases are encrypted at the disk level, and passwords are stored in encrypted form. The platform operates in compliance with GDPR.

In the field of digital services, it is not enough to simply "be secure." The ability to manage risks, handle incidents, and maintain long-term operational resilience is important, especially if clients come from regulated sectors such as finance or insurance.

As part of the Mafra group, which falls under a stricter regulatory regime, PassMachine meets NIS2 requirements. Beyond this framework, DORA regulation requirements are also implemented, as clients from the financial sector transfer these standards to their suppliers as a contractual condition.

PassMachine utilizes data center infrastructure with Tier III certification. Key components—power, cooling, and network connectivity—are always redundant, so operations continue even if part of the infrastructure fails.

The data center provides physical security and a CCTV system, controlled access via chip cards, PINs, or biometrics, a fire suppression system with inert gas and VESDA detection, online technology monitoring, and continuous 24x7x365 operation. Optical connectivity is provided from several independent directions via O2's backbone network. The infrastructure also supports hybrid solutions combining physical servers with the cloud.

A digital card functions as a long-term communication channel between a brand and its customer. It contains data, works with user identity, and is often connected to other company systems. Therefore, an outage or security incident affects not only the technology but also the customer relationship.

We build security on a combination of regular testing, operational resilience, managed processes, and quality infrastructure. And it is regularly subject to independent testing.