Configuring your own library
Please ensure that any additional debugging enabled whilst testing your integration is disabled prior to going live. Failing to do so may contravene the requirements needed to maintain PCI compliance.
Your library will need to establish a secure connection to https://webservices.securetrading.net/json/
Secure Trading use industry standard high-strength TLS encryption. We recommend that you use an up-to-date SSL/TLS library implementation for your chosen language.
You should ensure it has the following capabilities:
- TLSv1.0 or higher capabilities (use TLSv1.1 or TLSv1.2 if available).
- Server authentication must be performed by validating a certificate chain up to a known, trusted Certificate Authority (see below).
- Server authentication must check the Common Name (CN) of the server certificate matches the domain to which you are connecting. If the Common Name does not match, you are not connected to Secure Trading and the connection MUST be rejected.
- Server authentication must be performed on the expiry date of the server certificate. Any expired certificates MUST be rejected.
- Your library and code base must be maintained and you must regularly update to the latest security patches and/or features.
Secure Trading uses the Verisign Certificate Authority to sign all certificates. Your SSL/TLS library must be configured to trust all Verisign certificates:
Your SSL/TLS policy should include reviewing and updating these Certificate Authorities on a regular basis (e.g. once a year).
Validating a chain to a trusted Certificate Authority means your implementation will not need any changes when Secure Trading regularly updates server certificates. In particular you should NOT verify using a single certificate fingerprint, as this will require updating whenever the server certificate is updated and will not work if our distributed system provides different individual certificates.
Secure Trading employs DNS load balancing. DNS load balancing is designed to return a single IP, which will be the preferred destination for your server to connect to at that moment in time.
In addition to returning a single IP, the DNS load balancers will return a low TTL, currently set to less than 60 seconds. This TTL has been deliberately kept low in order to maximize your server’s exposure to the entire payment system. Increasing this TTL would reduce this exposure, meaning you will utilise one IP for a prolonged period of time. Any issues that could occur (scheduled or otherwise) will then impact on your payment processing capabilities.
Secure Trading has a number of DNS servers used to serve DNS records. It is important that your server includes all of these servers for DNS lookups. If you receive a DNS look up failure when communicating with a DNS server, the other DNS servers must then be used. Failure to utilise all DNS servers may cause problems when trying to resolve payment system URLs.
From a debug perspective, you can execute the following command to obtain the current list of DNS servers available:
- Windows: nslookup -type=NS securetrading.net
- Linux: dig NS securetrading.net
In the unlikely event that your system encounters problems when connecting to us, it is recommended that you implement appropriate timeouts for your solution. Consider this example:
maximum retry number – 20
maximum retry timeout – 40 seconds
maximum connect attempt timeout – 5 seconds
send and receive timeout – 60 seconds
- The maximum retry number is exceeded; OR
- The maximum retry timeout would be exceeded by another connection attempt.
(This means stop retrying the connection after 35-40 seconds, as an attempt that takes the maximum connect attempt timeout of 5 seconds would cause the maximum retry timeout to be exceeded)
Once the connection is established, allow 60 seconds (the send and receive timeout value) to send and receive the data before closing the connection. If for any reason the connection terminates after data has started to be transferred, we do not recommend retrying the request.
If you have any questions about configuring your server, please get in touch.