The connection between the merchant and the myPOS Web Checkout is handled through the internet using HTTPS protocol (SSL over HTTP). Requests and responses are digitally signed both. the myPOS host is located at Tier IV data center in Switzerland. Public address for myPOS Web Checkout is BGP enabled and available through all first level internet providers.

 

myPOS supplies an emergency support line via e-mail or phone which is 7x24 enabled and reaches certified engineers.

 

 

3-D Secure Payment


To make online transactions using credit cards safer and more secure, myPOS supports 3-D secure payments.

All myPOS merchants are automatically enrolled for 3D Secure. If the client's card is 3D Secure, then the client is redirected to the issuing bank's 3D Secure portal for authentication. It is not possible to opt-out for 3D Secure, it is mandatory.

Depending on the Card scheme and the Issuing Bank, the customer will see an additional step in the myPOS Checkout payment page. Please take a look at the VISA example below:

 

Important security requirements for making requests to the myPOS Web Checkout


All requests to the API are standard HTTPS requests. The 'User-Agent' HTTP request header is required by myPOS Checkout API.

It is a means of verification of the program on the client host and if the client does not send this string, it cannot be verified nor logged and will result in myPOS Web Checkout error page with the following text: “The online store has sent myPOS a shopping cart with errors in it. We will contact the Merchant with a request to fix this problem. As this could be a temporary issue, you can go back to try checking out again.” and a link to the merchant’s website.

Sending the 'User-Agent' is one of the principle rules of our network security and is usually a simple setting in client programs. If you are against sending the header for tracking reasons, we inform you that this is used as a loophole by potential attackers.

 

 

Security Restrictions


Enable/Disable payments for a specific merchant’s online store

By default, the online payment processing for any approved merchant’s online store is disabled. To enable the store the merchant needs to log in his Business Account, to go to the Online / Online stores menu and to click on the button “Enable” beside the particular online store.

The merchant could use the “Enable/ Disable” functionality at any convenient time.

 

Request URLs

This myPOS feature aims to further increase the security level of the merchant’s account, protecting it from unauthorized request attempts. 

The merchant must specify at least one URL from which request to the myPOS Checkout API will be made.

All requests from any other URLs will be denied. The merchant could add new URLs at any time, however, all new URLs will be reviewed and approved first.

 

 

Signature And Public/Private Key Pairs


In every message, a signature is supplied.

 

For the signing process, both myPOS Checkout API and the merchant generate public/private key pairs and exchange the public certificate. Key pairs are generated using the RSA algorithm. The certificates must be PEM-encoded PKCS7 file. Each of the parties is using the private key to sign the message and the opposite side authenticate the sender with a corresponding public certificate.

 

The myPOS Web Checkout provides a different myPOS public certificate to every online store of the merchant. They are available for download at Online / Online stores / Keys menu.

 

myPOS Checkout API requires from merchant to upload his public certificate so that his digital signature can be verified from the system. The merchant can upload several public certificates. A key index is assigned to each certificate. For each of the merchant's public certificate, there is a certain myPOS public certificate. The merchant can download each myPOS public certificate by clicking on Download in the myPOS public certificate column.

 

The online store public certificate can be changed at any time from the Online / Online stores / Keys menu.