Marqeta's Trust Center
Welcome to Marqeta's Trust Center. At Marqeta we build enduring and trusting relationships with our customers and partners by having a robust compliance and security program.
This portal provides visibility into our technical controls, compliance certifications, and security capabilities. Certifications include Payment Card Industry Data Security Standard (PCI DSS) and the American Institute of Certified Public Accountant (AICPA) Systems and Organization Control SOC 1 and SOC 2 Trust Services criteria for Security, Availability and Confidentiality. These controls are tested by independent, reputable third-party auditors. The reports are available to download from this portal.
Our policies, procedures, and standards are based on industry frameworks. Summaries can be requested through this portal.
Managing third-party risk is important. Marqeta maintains a list of critical third-party vendors, enforces requirements for third-party vendors to maintain their own security practices and procedures and an annual review of critical third-party attestation reports where applicable. Marqeta also maintains a list of sub-processors which can be provided upon request.
Marqeta is committed to protecting personal data and privacy rights. Marqeta’s privacy notice (https://www.marqeta.com/privacy) is a great resource to see how personal data is collected, used, and shared. The privacy notice also outlines the rights users have in relation to this data. Marqeta complies with applicable data protection laws wherever we do business. In the event an applicable data protection law requires any action or imposes any standard more stringent than the privacy notice, the requirements of that law shall control and take precedence over the requirements of the privacy notice.
Marqeta complies with GDPR requirements regarding the collection, use, and retention of personal information transferred from the European Union to the USA.
Documents
What happened?
The Sansec security research and malware team announced that a popular JavaScript polyfill project had been taken over by a foreign actor identified as a Chinese-originated company, embedding malicious code in JavaScript assets fetched from their CDN source at “cdn.polyfill.io”.
The below vulnerability is linked to the Polyfill Supply Chain Security Incident and tracked in the following common vulnerabilities measure (CVE):
CVE-2024-38526
However, The “polyfill.io” website is now effectively offline. In further action to protect end-users, ad blocker browser extensions such as uBlock have now kept up with reports about the polyfill.io website and are actively preventing access to it to keep users safe.
Upon learning about the Polyfill Supply Chain Security Incident, Marqeta’s Security team performed an assessment to determine if Marqeta’s data or systems, inclusive of any customer financial information (“Marqeta Data”), was impacted.
Was any data compromised during this incident?
Following a thorough investigation of Marqeta products, we have found no indication of impact to Marqeta Data in connection with the Polyfill Supply Chain Security Incident.
What has been done to remediate the incident?
N/A - Marqeta did not detect any signs of compromise of Marqeta Data in connection with the Polyfill Supply Chain Security Incident.
What should we expect next?
Marqeta will continue to be vigilant in monitoring and responding to incidents like the Polyfill Supply Chain Security Incident.
Marqeta has a robust vulnerability management program that leverages industry leading detection capabilities. Discovered vulnerabilities are remediated based on industry standards. If you do not hear from us, please assume that no further action is required for this event.
What happened?
Mandiant has identified a threat campaign targeting Snowflake which is a well-known multi-cloud data warehousing platform used to store and analyze data experiencing customer database instances having the threat campaign use stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims.
However, Mandiant's investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake's enterprise environment (the “Snowflake Data Breach Incident”). Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials.
Upon learning about the Snowflake Data Breach Incident, Marqeta’s Security team performed an assessment to determine if Marqeta’s data or systems, inclusive of any customer financial information (“Marqeta Data”), was impacted.
Was any data compromised during this incident?
Following a thorough investigation of Marqeta products whilst collaborating with Snowflake, we have found no indication of impact to Marqeta Data in connection with the Snowflake Data Breach Incident as all associated breaches with this campaign were traced back to compromised customer credentials who lacked implementation of advanced security controls, like multi-factor authentication (MFA) or network policies.
What has been done to remediate the incident?
N/A - Marqeta did not detect any signs of compromise of Marqeta Data in connection with the Snowflake Data Breach Incident.
What should we expect next?
Marqeta will continue to be vigilant in monitoring and responding to incidents like the Snowflake Data Breach Incident.
Marqeta has a robust vulnerability management program that leverages industry leading detection capabilities. Discovered vulnerabilities are remediated based on industry standards. If you do not hear from us, please assume that no further action is required for this event.
What happened?
A critical vulnerability (CVE-2024-4323) in the widely used log tool Fluent Bit was reported by Tenable. The vulnerability in Fluent Bit causes a memory corruption in Fluent Bit versions 2.0.7 through 3.0.3. This issue lies in the embedded http server’s parsing of trace requests and may result in denial of service conditions, information disclosure, or remote code execution.
Upon learning about this vulnerability, Marqeta’s Security team performed an assessment to determine if the tool is being utilized in Marqeta’s environment.
Following a thorough investigation of Marqeta products, we have found no indication of Fluent Bit being used in the Marqeta environment, and as such, the vulnerability is not exploitable in our environment.
Was any data compromised during this incident?
To the best of our knowledge, Marqeta did not detect any signs of compromise within our environment due to this vulnerability.
What has been done to remediate the incident?
N/A - Marqeta did not detect any signs of compromise within our environment due to this vulnerability.
What should we expect next?
Marqeta will continue to be vigilant in monitoring and responding to vulnerabilities like Fluent Bit.
Marqeta has a robust vulnerability management program that leverages industry leading detection capabilities. Discovered vulnerabilities are remediated based on industry standards. If you do not hear from us, please assume that no further action is required for this event.
What happened?
Cybersecurity Infrastructure Security Agency (CISA) released an alert to provide cyber defenders with new mitigation to defend against threat actors exploiting security solutions Ivanti Connect Secure and Policy Secure gateway vulnerabilities in Ivanti Devices. A cyber threat actor can exploit these vulnerabilities to take over an affected system.
These vulnerabilities are tracked in the following common vulnerabilities measure (CVE):
■ CVE-2023-46805 and CVE-2024-21887
Upon learning about this vulnerability, Marqeta’s Security team performed an assessment to determine if the tool is being utilized in Marqeta’s environment.
Following a thorough investigation of Marqeta products, we have found no indication of these Ivanti solutions being used in the Marqeta environment, and as such, the vulnerability is not exploitable in our environment.
Was any data compromised during this incident?
To the best of our knowledge, Marqeta did not detect any signs of compromise within our environment due to this vulnerability.
What has been done to remediate the incident?
N/A - Marqeta did not detect any signs of compromise within our environment due to this vulnerability.
What should we expect next?
Marqeta will continue to be vigilant in monitoring and responding to zero-day vulnerabilities like Ivanti.
Marqeta has a robust vulnerability management program that leverages industry leading detection capabilities. Discovered vulnerabilities are remediated based on industry standards. If you do not hear from us, please assume that no further action is required for this event.
What happened?
Microsoft Security and Response Center (MSRC) released a threat intelligence guide to responder on January 25, 2024 related to a nation state attack on its corporate system on Jan 12, 2024. The threat actor identified as Midnight Blizzard is a Russian-state sponsored actor and is also tracked as APT29, UNC2452, and Cozy Bear.
Microsoft disclosed a security breach that targeted email accounts from November 2023 to January 2024. The actors initially gained access by compromising a legacy, non-production test tenant account that did not have MFA (Multi Factor Authentication) enabled, and subsequently moved laterally to the main Microsoft corporate production tenant. They secured elevated privileges within Microsoft's own Exchange Online tenant, resulting in unrestricted access to their corporate mailboxes.
Upon learning about this vulnerability, Marqeta’s Security team performed an assessment to determine if the tool is being utilized in Marqeta’s environment.
Following a thorough investigation of Marqeta products, we have found no indication of the Microsoft breach impacting the Marqeta environment since Microsoft solutions are not leveraged in our production environment and as such, the vulnerability is not exploitable in our environment.
Was any data compromised during this incident?
To the best of our knowledge, Marqeta did not detect any signs of compromise within our environment due to this vulnerability.
What has been done to remediate the incident?
N/A - Marqeta did not detect any signs of compromise within our environment due to this vulnerability.
What should we expect next?
Marqeta will continue to be vigilant in monitoring and responding to such vulnerabilities.
Marqeta has a robust vulnerability management program that leverages industry leading detection capabilities. Discovered vulnerabilities are remediated based on industry standards. If you do not hear from us, please assume that no further action is required for this event.