Public Safety Committee on April 8th, 2019

We do vulnerability scan controls and have intensive security scans. We use only Canadian networks, Canadian telecom providers, and have Canadian data centres in multiple provinces. We run our transactions only through our Canadian data centres, so I don't anticipate that.

As you can appreciate, we wouldn't discuss specific capabilities or principles or how we manage our infrastructure.

What you're raising is a very acute thing we're aware of and are concerned about. Part of the motivation for the tracking of supply chain ingredients is to know that, because we would have providers of a service who would have technology and they may not know exactly where it has all come from, so we wouldn't know.

We have to imagine that it is not safe or secure, and we have to prepare ourselves for that—and we are. We are aware of these risks, but without that kind of knowledge, even if they were to attest that this is true, it might not be true. We can't afford to take those risks, so we plan as if it's not and we try to make it so.

While I am not privy to the comment, the “innocent” comment seems to be directed more at general public knowledge.

Our resiliency in Canada, particularly with the financial institutions, is quite strong on a global scale.

To your question about Canadian consumers, I would agree. I think public education is immensely important. Certainly this time of year, with the level of CRA scams that come out, from both phone calls and emails that people receive—and I'm sure all of you are well versed in that—Canadians do get pulled into those scams. They don't have enough education or awareness to understand when they should hang up the phone or delete the email, and also to up the system security on their home computers, and how important that is.

Oh, oh!

We do risk assessments on all the software and projects we deploy. Those risk assessments include an inventory of the libraries that are included in the applications that we develop, as well as any defects associated with those libraries.

The digital supply chain comes from all around the world. This microphone probably comes from many different countries around the world, so the risks that are represented in the components that make up this piece of equipment need to be assessed. They need to be assessed for vulnerabilities that could allow adversarial groups to enter this piece of equipment, or a piece of software.

We make sure that when we deploy something, it goes through a rigorous risk assessment process where we evaluate things as much as possible.

We ensure that we do audits on the organizations that provide source code to us. We certainly have access to some of the source code. We build some source code. Where we don't have access to the source code, we go through a rigorous risk assessment process with the company that provides it to us.

No, actually. All of our high-risk and transaction-based systems are proprietary code bases. Proprietary code means that we have a large development team that builds the code themselves. We put it through quite rigorous security standards and vulnerability scanning. We have a managed detection and response, layered security protocols that are quite robust and a private, closed-loop network.

We do, of course, have the source code, because we have a team that writes the source code, and we have very robust security layers. We're constantly reviewing our security posture as well.

I can share with the committee that all the data meets the minimum required standards in order to process the transaction, and any personal, identifiable information that is required to process the transaction to your bank account and not somebody else's bank account is fully secured.

Do you mean the intended use and purpose of the transaction in terms of the merchant where it's being purchased?