Marqeta's Trust Center
Welcome to Marqeta's Trust Center. At Marqeta we build enduring and trusting relationships with our customers and partners by having a robust compliance and security program.
This portal provides visibility into our technical controls, compliance certifications, and security capabilities. Certifications include Payment Card Industry Data Security Standard (PCI DSS) and the American Institute of Certified Public Accountant (AICPA) Systems and Organization Control SOC 1 and SOC 2 Trust Services criteria for Security, Availability and Confidentiality. These controls are tested by independent, reputable third-party auditors. The reports are available to download from this portal.
Our policies, procedures, and standards are based on industry frameworks. Summaries can be requested through this portal.
Managing third-party risk is important. Marqeta maintains a list of critical third-party vendors, enforces requirements for third-party vendors to maintain their own security practices and procedures and an annual review of critical third-party attestation reports where applicable. Marqeta also maintains a list of sub-processors which can be provided upon request.
Marqeta is committed to protecting personal data and privacy rights. Marqeta’s privacy notice (https://www.marqeta.com/privacy) is a great resource to see how personal data is collected, used, and shared. The privacy notice also outlines the rights users have in relation to this data. Marqeta complies with applicable data protection laws wherever we do business. In the event an applicable data protection law requires any action or imposes any standard more stringent than the privacy notice, the requirements of that law shall control and take precedence over the requirements of the privacy notice.
Marqeta complies with GDPR requirements regarding the collection, use, and retention of personal information transferred from the European Union to the USA.
Documents
Marqeta's Trust Center Updates
What happened?
The Sansec security research and malware team announced that a popular JavaScript polyfill project had been taken over by a foreign actor identified as a Chinese-originated company, embedding malicious code in JavaScript assets fetched from their CDN source at “cdn.polyfill.io”.
The below vulnerability is linked to the Polyfill Supply Chain Security Incident and tracked in the following common vulnerabilities measure (CVE):
CVE-2024-38526
However, The “polyfill.io” website is now effectively offline. In further action to protect end-users, ad blocker browser extensions such as uBlock have now kept up with reports about the polyfill.io website and are actively preventing access to it to keep users safe.
Upon learning about the Polyfill Supply Chain Security Incident, Marqeta’s Security team performed an assessment to determine if Marqeta’s data or systems, inclusive of any customer financial information (“Marqeta Data”), was impacted.
Was any data compromised during this incident?
Following a thorough investigation of Marqeta products, we have found no indication of impact to Marqeta Data in connection with the Polyfill Supply Chain Security Incident.
What has been done to remediate the incident?
N/A - Marqeta did not detect any signs of compromise of Marqeta Data in connection with the Polyfill Supply Chain Security Incident.
What should we expect next?
Marqeta will continue to be vigilant in monitoring and responding to incidents like the Polyfill Supply Chain Security Incident.
Marqeta has a robust vulnerability management program that leverages industry leading detection capabilities. Discovered vulnerabilities are remediated based on industry standards. If you do not hear from us, please assume that no further action is required for this event.
What happened?
Mandiant has identified a threat campaign targeting Snowflake which is a well-known multi-cloud data warehousing platform used to store and analyze data experiencing customer database instances having the threat campaign use stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims.
However, Mandiant's investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake's enterprise environment (the “Snowflake Data Breach Incident”). Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials.
Upon learning about the Snowflake Data Breach Incident, Marqeta’s Security team performed an assessment to determine if Marqeta’s data or systems, inclusive of any customer financial information (“Marqeta Data”), was impacted.
Was any data compromised during this incident?
Following a thorough investigation of Marqeta products whilst collaborating with Snowflake, we have found no indication of impact to Marqeta Data in connection with the Snowflake Data Breach Incident as all associated breaches with this campaign were traced back to compromised customer credentials who lacked implementation of advanced security controls, like multi-factor authentication (MFA) or network policies.
What has been done to remediate the incident?
N/A - Marqeta did not detect any signs of compromise of Marqeta Data in connection with the Snowflake Data Breach Incident.
What should we expect next?
Marqeta will continue to be vigilant in monitoring and responding to incidents like the Snowflake Data Breach Incident.
Marqeta has a robust vulnerability management program that leverages industry leading detection capabilities. Discovered vulnerabilities are remediated based on industry standards. If you do not hear from us, please assume that no further action is required for this event.
What happened?
A critical vulnerability (CVE-2024-4323) in the widely used log tool Fluent Bit was reported by Tenable. The vulnerability in Fluent Bit causes a memory corruption in Fluent Bit versions 2.0.7 through 3.0.3. This issue lies in the embedded http server’s parsing of trace requests and may result in denial of service conditions, information disclosure, or remote code execution.
Upon learning about this vulnerability, Marqeta’s Security team performed an assessment to determine if the tool is being utilized in Marqeta’s environment.
Following a thorough investigation of Marqeta products, we have found no indication of Fluent Bit being used in the Marqeta environment, and as such, the vulnerability is not exploitable in our environment.
Was any data compromised during this incident?
To the best of our knowledge, Marqeta did not detect any signs of compromise within our environment due to this vulnerability.
What has been done to remediate the incident?
N/A - Marqeta did not detect any signs of compromise within our environment due to this vulnerability.
What should we expect next?
Marqeta will continue to be vigilant in monitoring and responding to vulnerabilities like Fluent Bit.
Marqeta has a robust vulnerability management program that leverages industry leading detection capabilities. Discovered vulnerabilities are remediated based on industry standards. If you do not hear from us, please assume that no further action is required for this event.
What happened?
Cybersecurity Infrastructure Security Agency (CISA) released an alert to provide cyber defenders with new mitigation to defend against threat actors exploiting security solutions Ivanti Connect Secure and Policy Secure gateway vulnerabilities in Ivanti Devices. A cyber threat actor can exploit these vulnerabilities to take over an affected system.
These vulnerabilities are tracked in the following common vulnerabilities measure (CVE):
■ CVE-2023-46805 and CVE-2024-21887
Upon learning about this vulnerability, Marqeta’s Security team performed an assessment to determine if the tool is being utilized in Marqeta’s environment.
Following a thorough investigation of Marqeta products, we have found no indication of these Ivanti solutions being used in the Marqeta environment, and as such, the vulnerability is not exploitable in our environment.
Was any data compromised during this incident?
To the best of our knowledge, Marqeta did not detect any signs of compromise within our environment due to this vulnerability.
What has been done to remediate the incident?
N/A - Marqeta did not detect any signs of compromise within our environment due to this vulnerability.
What should we expect next?
Marqeta will continue to be vigilant in monitoring and responding to zero-day vulnerabilities like Ivanti.
Marqeta has a robust vulnerability management program that leverages industry leading detection capabilities. Discovered vulnerabilities are remediated based on industry standards. If you do not hear from us, please assume that no further action is required for this event.
What happened?
Microsoft Security and Response Center (MSRC) released a threat intelligence guide to responder on January 25, 2024 related to a nation state attack on its corporate system on Jan 12, 2024. The threat actor identified as Midnight Blizzard is a Russian-state sponsored actor and is also tracked as APT29, UNC2452, and Cozy Bear.
Microsoft disclosed a security breach that targeted email accounts from November 2023 to January 2024. The actors initially gained access by compromising a legacy, non-production test tenant account that did not have MFA (Multi Factor Authentication) enabled, and subsequently moved laterally to the main Microsoft corporate production tenant. They secured elevated privileges within Microsoft's own Exchange Online tenant, resulting in unrestricted access to their corporate mailboxes.
Upon learning about this vulnerability, Marqeta’s Security team performed an assessment to determine if the tool is being utilized in Marqeta’s environment.
Following a thorough investigation of Marqeta products, we have found no indication of the Microsoft breach impacting the Marqeta environment since Microsoft solutions are not leveraged in our production environment and as such, the vulnerability is not exploitable in our environment.
Was any data compromised during this incident?
To the best of our knowledge, Marqeta did not detect any signs of compromise within our environment due to this vulnerability.
What has been done to remediate the incident?
N/A - Marqeta did not detect any signs of compromise within our environment due to this vulnerability.
What should we expect next?
Marqeta will continue to be vigilant in monitoring and responding to such vulnerabilities.
Marqeta has a robust vulnerability management program that leverages industry leading detection capabilities. Discovered vulnerabilities are remediated based on industry standards. If you do not hear from us, please assume that no further action is required for this event.
Marqeta is pleased to announce that we have obtained ISO 27001 certification of our information security management system supporting infrastructure and services used to support the Marqeta Payment Platform. This emphasizes Marqeta’s continual commitment to increasing customer trust through security, reliability, and accuracy.
ISO 27001 is a globally recognized standard for the establishment and certification of an information security management system (ISMS). The standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization’s overall business risks. It sets forth a risk-based approach that focuses on adequate and proportionate security controls that protect information assets and give confidence to interested parties.
Marqeta’s ISO 27001 certification is available for download from our Trust Center.
Marqeta's 2023 SOC 2 Type II and SOC 1 Type II reports are available for download. Please visit the Documents section of our Trust Center.
What happened?
Okta Security has identified adversarial activity that leveraged access to a stolen credential to access Okta's support case management system. The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases.
The threat actors gained access to customers’ HTTP Archive files, short-formed as HAR, which are used for troubleshooting by replicating browser activity. By their nature HAR files can contain sensitive data such as cookies and session tokens that threat actors can use to impersonate valid users.
OKTA’s Security Chief David Bradbury said the compromised case management system is separate from the production Okta service, which was not impacted and remains fully operational. Okta has taken measures to protect its customers, including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within an HAR file before sharing it. In a separate alert, security firm BeyondTrust said it was a target of a cyberattack linked to this Okta support system breach.
Upon learning about this vulnerability, Marqeta’s Third Party Risk Management Team reached out to OKTA and as of 10/23/23 Marqeta was NOT impacted and there is no action needed on Marqeta per our conversation with OKTA.
Was any data compromised during this incident?
To the best of our knowledge, Marqeta did not detect any signs of compromise within our environment due to this vulnerability.
What has been done to remediate the incident?
N/A - Marqeta did not detect any signs of compromise within our environment due to this vulnerability.
What should we expect next?
Marqeta will continue to be vigilant in monitoring and responding to third party security breaches such as OKTA’s HAR.
Marqeta has a robust vulnerability management program that leverages industry leading detection capabilities. Discovered vulnerabilities are remediated based on industry standards. If you do not hear from us, please assume that no further action is required for this event.
What happened?
A record-breaking distributed denial-of-service (DDoS) attack dubbed “HTTP/2 Rapid Reset” (CVE-2023-44487) was a result of an Internet-wide zero-day vulnerability.
Amazon Web Services, Cloudflare, and Google Cloud each observed the just-minutes-long attack on August 28 and 29, with Google recording a peak of 398 million requests per second (rps), seven and a half times larger than any previous attack against its resources. The providers partnered with DDoS security, and infrastructure vendors to minimize the effects of the attacks, mainly through load balancing and other edge strategies. The exploited protocol, HTTP/2, enables browsers to quickly view website images and text and the protocol is used by roughly 60% of all Web applications. Many organizations will remain exposed to the attack until they patch their HTTP/2 instances.
Upon learning about this vulnerability, Marqeta’s Security team performed an assessment to determine if the HTTP/2 module is enabled and is being utilized in Marqeta’s environment.
Following a thorough investigation of Marqeta products, we have found no indication of Rapid Reset impacting our environment.
Was any data compromised during this incident?
To the best of our knowledge, Marqeta did not detect any signs of compromise within our environment due to this vulnerability.
What has been done to remediate the incident?
N/A - Marqeta did not detect any signs of compromise within our environment due to this vulnerability.
What should we expect next?
Marqeta will continue to be vigilant in monitoring and responding to zero-day vulnerabilities like Rapid Reset.
Marqeta has a robust vulnerability management program that leverages industry leading detection capabilities. Discovered vulnerabilities are remediated based on industry standards. If you do not hear from us, please assume that no further action is required for this event.
What happened? -A critical vulnerability (CVE-2023-34362) in the widely used file transfer tool MOVEIt was reported by Progress. The vulnerability in MOVEit Transfer could lead to escalated privileges and potential unauthorized access to the environment. Upon learning about this vulnerability, Marqeta’s Security team performed an assessment to determine if the tool is being utilized in Marqeta’s environment. Following a thorough investigation of Marqeta products, we have found no indication of MOVEIt being used in the Marqeta environment, and as such, the vulnerability is not exploitable in our environment.
Was any data compromised during this incident? -To the best of our knowledge, Marqeta did not detect any signs of compromise within our environment due to this vulnerability.
What has been done to remediate the incident? -N/A; Marqeta did not detect any signs of compromise within our environment due to this vulnerability.
What should we expect next? -Marqeta will continue to be vigilant in monitoring and responding to zero-day vulnerabilities like MoveIT. Marqeta has a robust vulnerability management program that leverages industry leading detection capabilities. Discovered vulnerabilities are remediated based on industry standards. If you do not hear from us, please assume that no further action is required for this event.