The connection between the merchant and the myPOS Web Checkout is handled through the internet using HTTPS protocol (SSL over HTTP). Requests and responses are digitally signed both. the myPOS host is located at Tier IV data center in Switzerland. Public address for myPOS Web Checkout is BGP enabled and available through all first-level internet providers.

 

myPOS supplies an emergency support line via e-mail or phone which reaches certified engineers.

 

 

3-D Secure Payment


To make online transactions using credit cards safer and more secure, myPOS supports 3-D secure payments.

All myPOS merchants are automatically enrolled for 3D Secure. If the client's card is 3D Secure, then the client is redirected to the issuing bank's 3D Secure portal for authentication. It is not possible to opt-out for 3D Secure, it is mandatory.

Depending on the Card scheme and the Issuing Bank, the customer will see an additional step in the myPOS Checkout payment page. Please take a look at the VISA example below:

3DS paymenth

 

Important security requirements for making requests to the myPOS Web Checkout


All requests to the API are standard HTTPS requests. The 'User-Agent' HTTP request header is required by myPOS Checkout API.

It is a means of verification of the program on the client host and if the client does not send this string, it cannot be verified nor logged and will result in myPOS Web Checkout error page with the following text: “The Checkout has sent myPOS a shopping cart with errors in it. We will contact the Merchant with a request to fix this problem. As this could be a temporary issue, you can go back to try checking out again.” and a link to the merchant’s website.

Sending the 'User-Agent' is one of the principal rules of our network security and is usually a simple setting in client programs. If you are against sending the header for tracking reasons, we inform you that this is used as a loophole by potential attackers.

 

 

Security Restrictions


Enable/Disable payments for a specific merchant’s Checkout

By default, the online payment processing for any merchant’s Checkout is disabled. To enable the store the Merchant needs to finish the integration process. Once integrated, the new Checkout will be with status “Enabled” and the merchant is ready to start accepting payments.

The merchant could use the “Enable/ Disable” functionality at any convenient time.

 

Request URLs

This myPOS feature aims to further increase the security level of the merchant’s account, protecting it from unauthorized request attempts. 

The merchant must specify at least one URL from which request to the myPOS Checkout API will be made.

All requests from any other URLs will be denied. The merchant could add new URLs at any time, however, all new URLs will be reviewed and approved first.

 

 

Signature And Public/Private Key Pairs


In every message, a signature is supplied.

 

For the signing process, both myPOS Checkout API and the merchant generate public/private key pairs and exchange the public certificate. Key pairs are generated using the RSA algorithm. The certificates must be PEM-encoded PKCS7 file. Each of the parties is using the private key to sign the message and the opposite side authenticates the sender with a corresponding public certificate.

 

The myPOS Web Checkout provides a different myPOS public certificate to every Checkout of the merchant. A key index is assigned to each certificate. They are available for download at the Checkout / Integration menu.