Marqeta's Trust Center

Start your security review
View & download sensitive information
Ask for information
Search items

Overview

Welcome to Marqeta's Trust Center. At Marqeta we build enduring and trusting relationships with our customers and partners by having a robust compliance and security program.

This portal provides visibility into our technical controls, compliance certifications, and security capabilities. Certifications include Payment Card Industry Data Security Standard (PCI DSS) and the American Institute of Certified Public Accountant (AICPA) Systems and Organization Control SOC 1 and SOC 2 Trust Services criteria for Security, Availability and Confidentiality. These controls are tested by independent, reputable third-party auditors. The reports are available to download from this portal.

Our policies, procedures, and standards are based on industry frameworks. Summaries can be requested through this portal.

Managing third-party risk is important. Marqeta maintains a list of critical third-party vendors, enforces requirements for third-party vendors to maintain their own security practices and procedures and an annual review of critical third-party attestation reports where applicable. Marqeta also maintains a list of sub-processors which can be provided upon request.

Marqeta is committed to protecting personal data and privacy rights. Marqeta’s privacy notice (https://www.marqeta.com/privacy) is a great resource to see how personal data is collected, used, and shared. The privacy notice also outlines the rights users have in relation to this data. Marqeta complies with applicable data protection laws wherever we do business. In the event an applicable data protection law requires any action or imposes any standard more stringent than the privacy notice, the requirements of that law shall control and take precedence over the requirements of the privacy notice.

Marqeta complies with GDPR requirements regarding the collection, use, and retention of personal information transferred from the European Union to the USA.

Compliance

GDPR Logo
GDPR
ISO 27001 Logo
ISO 27001
PCI DSS Logo
PCI DSS
SOC 1 Logo
SOC 1
SOC 2 Logo
SOC 2
Start your security review
View & download sensitive information
Ask for information

Documents

PCI DSS
Pentest Report
SOC 1 Report
SOC 2 Report
Business Continuity Policy & Plan
Information Security Policy
ISO 27001
Cross Border Data Transfer Risk Assessment
BC/DR
Backup & Recovery Standard
Data Classification & Handling Standard
Incident Response Plan
IT Asset Inventory Standard
Logical Access Management Standard
Network Management Standard Policy
Other Policies
S-SDLC
Technical Risk Management Standard
Third Party Risk Management Policy
Vulnerability & Patch Management Standard

Product Security

Audit Logging
Data Security
Integrations
View more

Reports

PCI DSS
Pentest Report
SOC 1 Report
View more

Data Security

Access Monitoring
Backups Enabled
Encryption-at-rest
View more

App Security

Responsible Disclosure
Code Analysis
Software Development Lifecycle
View more

Data Privacy

Cookies
Cross Border Data Transfer Risk Assessment
Data Privacy Officer
View more

Access Control

DataAccess
Logging
Password Security

Infrastructure

Amazon Web Services
Anti-DDoS
View more

Endpoint Security

Disk Encryption
Endpoint Detection & Response
Mobile Device Management
View more

Network Security

Data Loss Prevention
Firewall
IDS/IPS
View more

Corporate Security

Email Protection
Employee Training
Incident Response
View more

Policies

Backup & Recovery Standard
Business Continuity Policy & Plan
Data Classification & Handling Standard
View more

Security Grades

Qualys SSL Labs
marqeta.com
A+
auth.marqeta.com
A

Trust Center Updates

Marqeta's Response to Ivanti Vulnerability

VulnerabilitiesCopy link

What happened?

Cybersecurity Infrastructure Security Agency (CISA) released an alert to provide cyber defenders with new mitigation to defend against threat actors exploiting security solutions Ivanti Connect Secure and Policy Secure gateway vulnerabilities in Ivanti Devices. A cyber threat actor can exploit these vulnerabilities to take over an affected system.

These vulnerabilities are tracked in the following common vulnerabilities measure (CVE):

CVE-2024-21888

CVE-2024-21893

CVE-2023-46805 and CVE-2024-21887

Upon learning about this vulnerability, Marqeta’s Security team performed an assessment to determine if the tool is being utilized in Marqeta’s environment.

Following a thorough investigation of Marqeta products, we have found no indication of these Ivanti solutions being used in the Marqeta environment, and as such, the vulnerability is not exploitable in our environment.

Was any data compromised during this incident?

To the best of our knowledge, Marqeta did not detect any signs of compromise within our environment due to this vulnerability.

What has been done to remediate the incident?

N/A - Marqeta did not detect any signs of compromise within our environment due to this vulnerability.

What should we expect next?

Marqeta will continue to be vigilant in monitoring and responding to zero-day vulnerabilities like Ivanti.

Marqeta has a robust vulnerability management program that leverages industry leading detection capabilities. Discovered vulnerabilities are remediated based on industry standards. If you do not hear from us, please assume that no further action is required for this event.

Published at N/A

Marqeta's Response to Midnight Blizzard Vulnerability

VulnerabilitiesCopy link

What happened?

Microsoft Security and Response Center (MSRC) released a threat intelligence guide to responder on January 25, 2024 related to a nation state attack on its corporate system on Jan 12, 2024. The threat actor identified as Midnight Blizzard is a Russian-state sponsored actor and is also tracked as APT29, UNC2452, and Cozy Bear.

Microsoft disclosed a security breach that targeted email accounts from November 2023 to January 2024. The actors initially gained access by compromising a legacy, non-production test tenant account that did not have MFA (Multi Factor Authentication) enabled, and subsequently moved laterally to the main Microsoft corporate production tenant. They secured elevated privileges within Microsoft's own Exchange Online tenant, resulting in unrestricted access to their corporate mailboxes.

Upon learning about this vulnerability, Marqeta’s Security team performed an assessment to determine if the tool is being utilized in Marqeta’s environment.

Following a thorough investigation of Marqeta products, we have found no indication of the Microsoft breach impacting the Marqeta environment since Microsoft solutions are not leveraged in our production environment and as such, the vulnerability is not exploitable in our environment.

Was any data compromised during this incident?

To the best of our knowledge, Marqeta did not detect any signs of compromise within our environment due to this vulnerability.

What has been done to remediate the incident?

N/A - Marqeta did not detect any signs of compromise within our environment due to this vulnerability.

What should we expect next?

Marqeta will continue to be vigilant in monitoring and responding to such vulnerabilities.

Marqeta has a robust vulnerability management program that leverages industry leading detection capabilities. Discovered vulnerabilities are remediated based on industry standards. If you do not hear from us, please assume that no further action is required for this event.

Published at N/A*

Marqeta's ISO 27001 Certificate

ComplianceCopy link

Marqeta is pleased to announce that we have obtained ISO 27001 certification of our information security management system supporting infrastructure and services used to support the Marqeta Payment Platform. This emphasizes Marqeta’s continual commitment to increasing customer trust through security, reliability, and accuracy.

ISO 27001 is a globally recognized standard for the establishment and certification of an information security management system (ISMS). The standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization’s overall business risks. It sets forth a risk-based approach that focuses on adequate and proportionate security controls that protect information assets and give confidence to interested parties.

Marqeta’s ISO 27001 certification is available for download from our Trust Center.

Published at N/A

Marqeta's SOC Reports

ComplianceCopy link

Marqeta's 2023 SOC 2 Type II and SOC 1 Type II reports are available for download. Please visit the Documents section of our Trust Center.

Published at N/A

Marqeta's Response to OKTA

IncidentsCopy link

What happened?

Okta Security has identified adversarial activity that leveraged access to a stolen credential to access Okta's support case management system. The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases.

The threat actors gained access to customers’ HTTP Archive files, short-formed as HAR, which are used for troubleshooting by replicating browser activity. By their nature HAR files can contain sensitive data such as cookies and session tokens that threat actors can use to impersonate valid users.

OKTA’s Security Chief David Bradbury said the compromised case management system is separate from the production Okta service, which was not impacted and remains fully operational. Okta has taken measures to protect its customers, including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within an HAR file before sharing it. In a separate alert, security firm BeyondTrust said it was a target of a cyberattack linked to this Okta support system breach.

Upon learning about this vulnerability, Marqeta’s Third Party Risk Management Team reached out to OKTA and as of 10/23/23 Marqeta was NOT impacted and there is no action needed on Marqeta per our conversation with OKTA.

Was any data compromised during this incident?
To the best of our knowledge, Marqeta did not detect any signs of compromise within our environment due to this vulnerability.

What has been done to remediate the incident?
N/A - Marqeta did not detect any signs of compromise within our environment due to this vulnerability.

What should we expect next?
Marqeta will continue to be vigilant in monitoring and responding to third party security breaches such as OKTA’s HAR.

Marqeta has a robust vulnerability management program that leverages industry leading detection capabilities. Discovered vulnerabilities are remediated based on industry standards. If you do not hear from us, please assume that no further action is required for this event.

Published at N/A

Marqeta's Response to HTTP/2 Rapid Reset Attack

IncidentsCopy link

What happened?

A record-breaking distributed denial-of-service (DDoS) attack dubbed “HTTP/2 Rapid Reset” (CVE-2023-44487) was a result of an Internet-wide zero-day vulnerability.

Amazon Web Services, Cloudflare, and Google Cloud each observed the just-minutes-long attack on August 28 and 29, with Google recording a peak of 398 million requests per second (rps), seven and a half times larger than any previous attack against its resources. The providers partnered with DDoS security, and infrastructure vendors to minimize the effects of the attacks, mainly through load balancing and other edge strategies. The exploited protocol, HTTP/2, enables browsers to quickly view website images and text and the protocol is used by roughly 60% of all Web applications. Many organizations will remain exposed to the attack until they patch their HTTP/2 instances.

Upon learning about this vulnerability, Marqeta’s Security team performed an assessment to determine if the HTTP/2 module is enabled and is being utilized in Marqeta’s environment.

Following a thorough investigation of Marqeta products, we have found no indication of Rapid Reset impacting our environment.

Was any data compromised during this incident?

To the best of our knowledge, Marqeta did not detect any signs of compromise within our environment due to this vulnerability.

What has been done to remediate the incident?

N/A - Marqeta did not detect any signs of compromise within our environment due to this vulnerability.

What should we expect next?

Marqeta will continue to be vigilant in monitoring and responding to zero-day vulnerabilities like Rapid Reset.

Marqeta has a robust vulnerability management program that leverages industry leading detection capabilities. Discovered vulnerabilities are remediated based on industry standards. If you do not hear from us, please assume that no further action is required for this event.

Published at N/A

Marqeta's Response to MOVEIt vulnerability

IncidentsCopy link

What happened? -A critical vulnerability (CVE-2023-34362) in the widely used file transfer tool MOVEIt was reported by Progress. The vulnerability in MOVEit Transfer could lead to escalated privileges and potential unauthorized access to the environment. Upon learning about this vulnerability, Marqeta’s Security team performed an assessment to determine if the tool is being utilized in Marqeta’s environment. Following a thorough investigation of Marqeta products, we have found no indication of MOVEIt being used in the Marqeta environment, and as such, the vulnerability is not exploitable in our environment.

Was any data compromised during this incident? -To the best of our knowledge, Marqeta did not detect any signs of compromise within our environment due to this vulnerability.

What has been done to remediate the incident? -N/A; Marqeta did not detect any signs of compromise within our environment due to this vulnerability.

What should we expect next? -Marqeta will continue to be vigilant in monitoring and responding to zero-day vulnerabilities like MoveIT. Marqeta has a robust vulnerability management program that leverages industry leading detection capabilities. Discovered vulnerabilities are remediated based on industry standards. If you do not hear from us, please assume that no further action is required for this event.

Published at N/A
Powered bySafeBase Logo