Security Certification
As a partner platform to WePay, follow this Security Certification to protect your users and their data. We'll cover best practices to help protect your platform, in addition to laying out what is required to meet various levels of PCI compliance depending on what product you implement.
Definitions
Abbreviation | Full Form | Definition |
---|---|---|
HTTPS | HTTP Over SSL or Hypertext Transfer Protocol Secure | A variant of the standard web transfer protocol (HTTP) that adds a layer of security on the data in transit through a secure socket layer (SSL) or transport layer security (TLS) protocol connection. |
HSTS | HTTP Strict Transport Security | A web security feature that helps to protect websites against protocol downgrade attacks and cookie hijacking. |
OWASP | Open Web Application Security Project | An open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. |
DMARC | Domain-based Message Authentication, Reporting & Conformance | An email authentication, policy, and reporting protocol. |
PCI | Payment Card Industry | The full spectrum of commerce which accepts debit, credit, or any other form of payment card during transactions. |
PCI SSC | Payment Card Industry Security Standards Council | The regulatory body which maintains and enforces PCI security standards. |
PCI DSS | Payment Card Industry Data Security Standard | A set of security standards designed to ensure that ALL parties which accept, process, store, or transmit credit card information maintain a secure environment. |
SAQ | Self-Assessment Questionnaire | Validation tools intended to assist merchants and service providers report the results of their PCI DSS self-assessment. |
QSA | Qualified Security Assessor | Independent security organizations that have been qualified by the PCI SSC to validate an entity's adherence to PCI DSS. |
Enhanced Security Standards
Certain WePay APIs are available only to platforms that meet minimum financial and technical qualifications, have approval from your WePay Relationship Executive, and comply with the following WePay Enhanced Security Standards, as modified by WePay from time to time.
WePay Enhanced Security Standards:
- On a quarterly basis, Platform to perform network and application vulnerability scans covering Platform's user authentication system as well as systems and applications impacting payment services using WePay. Platform will provide WePay with the results of the testing upon WePay's request.
- On an annual basis, Platform to perform penetration testing covering Platform's user authentication system as well as systems and applications impacting payment services using WePay. Platform will provide WePay with the results of the testing upon WePay's request.
- Platform to notify WePay immediately if Platform detects unauthorized access to Platform's systems or WePay's systems.
- Platform to use best efforts to address any material security flaw upon notice or discovery.
Security Best Practices
By integrating with the WePay API, you're reducing the scope of security and compliance requirements that your application must adhere to. That said, as an application that handles sensitive and private data, you must take extra care to ensure the privacy and security of your application, your users, and your users' data. Read our recommendations below to help architect your integration with WePay.
The following list applies to most card-not-present integrations, but you should expand and customize these requirements based on the specifics of your application.
Authenticate users and protect their credentials
If your application provides access to sensitive financial information (e.g. payment history), you must authenticate users to make sure that sensitive information is not accessed by a third party. Your authentication system must be robust:
User Access ManagementPlatform's process for managing user access to the Integrated Service must meet WePay's then-current Enhanced Security Standards (the current version of which can be found here and in Enhanced Security Standards) and other security standards applicable to End Users who access the WePay Service, including without limitation:
- Compliance with applicable password length and complexity requirements (currently minimum 8 characters, alpha, numeric and special character)
- Strong cryptography to render all authentication credentials unreadable during transmission and storage
- Lockout after no more than six (6) login attempt failures
- Lockout duration at least 30 minutes
- Require user to re-authenticate if a user session which involves the input or transmission of credit card information (and any systems related to the merchant/partners cardholder environment) has been idle for more than 15 minutes
- Require user to re-authenticate before resetting password or modifying any authentication credential
- Adequate controls against high-velocity scripted login attacks
- Strong authentication controls such as Multi-Factor Authentication (MFA) to protect against Account Take Over (ATO) attacks
In addition, follow these security best practices for authenticating users and protecting their credentials:
- Never store plain text passwords in your database; implement strong cryptography
- Use one-way hash functions (e.g. bcrypt) to protect passwords
- Make sure that only a limited number of employees have access to the database that stores users' credentials (i.e. passwords, WePay access tokens, etc.)
Use HTTPS and HSTS
The “plain” HTTP protocol is vulnerable to:
- Session hijacking by listening to the traffic and extracting the session cookie (e.g. by a person sitting next to your user in the coffee-shop).
- Man-in-the-middle attacks. For example, an attacker with access to your ISP can inject malicious content into your website and run rogue JavaScript code from your domain.
By using HTTPS and HSTS you can ensure that the network connections between your users and your servers are encrypted and protected. For this reason, more sophisticated users tend to trust HTTPS protected sites more than non-HTTPS sites.
Note that WePay does not have a requirement for a specific type of SSL certificate. However, EV certificates are the industry standard for security-sensitive online services.
Protect your production systems
- Require strong passwords and 2-factor authentication to access your production system.
- Change any default passwords on any internal or external services used by your application.
- Install a firewall and limit the open ports to the ones required by your application.
- If you're hosting in a shared environment, you must consider the protection of data on the network. Encrypting data in transit using strong version of TLS on internal shared environment provides protection against Man-In-The-Middle type attacks. Install the latest patches and updates to ensure that all known vulnerabilities in the system software are patched.
- Install the latest patches and updates to ensure that all known vulnerabilities in the system software are patched.
- Install extensive logging and perform regular automated and manual audits to detect any suspicious activities.
Protect API Secrets
An app token is a unique string of letters and numbers that you pass with every API call so WePay knows that you have the authorization to make that call.
App tokens are private and should neither be passed in the URL as part of HTTP Get Request nor revealed to any third-party. Remember, WePay Support will never ask you to provide your access token.
Setup a secure development process
A secure development process is critical to ensuring your application security:
- Code reviews
- Extensive testing
- Utilizing well known frameworks
- Training your developers
You can learn more about these and other ways to protect your application by visiting The Open Web Application Security Project (OWASP) website.
Configure automated vulnerability scans
Consider configuring at least weekly automated vulnerability scans from a PCI-certified vendor. While automated scans are limited in the vulnerabilities they can detect, they can still catch bugs that slipped past other protection barriers.
Email Security
DMARC is an email security standard that provides the receiver a mechanism to verify the source of an email.
Define and document your security policies and procedures
Your system security is only as strong as its weakest link. To get a complete view of your systems and processes, internally define and document your security policies and procedures, and make sure that you adhere to them. As your application and business change, you should update these procedures. Carefully consider each change and its impact on your system security and compliance.
WePay takes security very seriously. We're happy to answer questions or discuss any security concerns you may have. Contact our security team at security@wepay.com.
PCI DSS Requirements
All WePay platforms need to be compliant with PCI DSS. The PCI DSS that are applicable depend on how a platform integrates with WePay. These requirements supplement the ongoing work that WePay does on our systems everyday to maintain the highest possible level of PCI compliance as your payments service provider.
- Every partner needs to be PCI compliant, even if you are using credit card iFrames.
- In most cases, being PCI compliant means filling out an SAQ.
- Partners using credit card iFrames checkout will generally qualify for the simpler SAQ-A.
- Partners using WePay Helper JS for credit card tokenization will generally need to fill out the new SAQ-A-EP and perform quarterly scans.
- WePay will continue to look for compliant ways to offer the benefits of tokenization without requiring partners to complete the SAQ-A-EP.
Who Must Be PCI Compliant
Compliance requirements are determined by your transaction level and the nature of your integration with WePay.
Transaction Level: Number of transactions processed every year. These levels are set by the PCI SSC.Integration: How you interact with WePay (and thus card data) determines the specific SAQ that you must complete.
Steps To PCI Compliance
1. Identify Your Transaction Level
PCI has four levels of compliance. The level you need will depend on the number of transactions that are processed each year. The table below is a simplified set of requirements.
Note
The transactions/year counts are for Visa OR Mastercard, not the two combined
Level | Transactions/Year | Requirements |
---|---|---|
Level 1 | More than 6M, regardless of acceptance channel. | On-site inspection by a QSA; Quarterly Network Scans; Annual penetration testing. |
Level 2 | 1M-6M, regardless of acceptance channel. | Appropriate SAQ as determined by step 2; Quarterly Network scans unless qualified for SAQ-A |
Level 3 | 20K-1M eCommerce transactions. | Appropriate SAQ as determined by step 2; Quarterly Network scans unless qualified for SAQ-A |
Level 4 | Less than 20K eCommerce transactions; and/or up to 1M transactions regardless of acceptance channel. | Appropriate SAQ as determined by step 2; Quarterly Network scans unless qualified for SAQ-A |
If you need help identifying your transaction level, please reach out to your relationship executive or [WePay Support](mailto:api@wepay.com).
2. Identify the appropriate SAQ based on your integration with WePay
Integration | Requirements | Notes |
---|---|---|
Clear - credit card iFrames | SAQ-A | In these integrations, all of the credit card data is managed on WePay-served pages via the iFrames. |
Basic Integration - WePay Helper JS Tokenization credit card tokenization | SAQ-A-EP Involves Quarterly network scans and Annual penetration testing | In this integration, credit card data is collected on a webpage that you serve, and then use WePay's Javascript library to send the values directly to WePay. Quarterly network scans are required even if you are only level 4. |
Server to Server Integration | SAQ-D Involves Quarterly network scans and Annual penetration testing | A small number of platforms collect credit card information directly and then passing it on to WePay in a web call rather than through the JS. This integration requires certification from WePay. |
If you need help identifying your integration, please reach out to your relationship executive, technical account manager, or [api@wepay.com](mailto:api@wepay.com).
Note
The PCI council believes that the risk of attack is higher for a custom UX checkout and tokenization than for iFrames. They specifically highlight that attacks on custom UX integrations can be much harder for users to notice, and thus impact many more people, than a compromise involving iFrames.
3. Keep your documentation current and ready to provide at WePay's request
Keep all PCI DSS certification documents on file, such as SAQs, quarterly network scans, etc. Provide documents to WePay upon request, which may be as often as once a year, or upon expiration.