Merchant Integration: Checking Server Communication

TL;DR

You’re right to be cautious! Merchant integration instructions often gloss over important cyber security details. This guide helps you verify if the server-client interaction is set up correctly and securely, protecting both your business and your customers.

Checking Server Communication – A Step-by-Step Guide

1. Understand the Expected Flow: Before anything else, clearly document *how* the integration is supposed to work. This includes:
   • What data does your server send to the merchant?
   • What data does the merchant send back?
   • Which server initiates communication (your server or theirs)?
   • What protocol is used (HTTPS, etc.)?
2. Verify HTTPS: This is non-negotiable for any financial transaction data.
   • Check the merchant’s website certificate. It should be valid and issued by a trusted Certificate Authority. Look for the padlock icon in your browser’s address bar.
   • Ensure *all* communication uses HTTPS (https://) not just the login page. Mixed content warnings are a security risk.
3. Inspect Network Traffic: Use a tool like your browser’s developer tools or Wireshark to see exactly what’s being sent back and forth.
   • Browser Developer Tools: Open the ‘Network’ tab before initiating any interaction with the merchant. Filter by XHR/Fetch requests to focus on data exchange.
   • Wireshark (Advanced): Capture network traffic during integration testing. Filter for the merchant’s domain and port 443 (HTTPS). Be careful handling sensitive data captured in Wireshark – it’s unencrypted until decrypted.
4. Data Validation: Confirm that all data sent to and from the merchant is properly validated.
   • Input Validation on Your Server: Never trust user input! Sanitize and validate *all* data before sending it to the merchant. Prevent SQL injection, cross-site scripting (XSS), and other attacks.
   • Output Validation: Check the responses from the merchant for unexpected or malicious content. Ensure data types are as expected.
5. Check API Keys & Credentials:
   • Are API keys stored securely on your server? Avoid hardcoding them directly into your code. Use environment variables or a secure configuration management system.
   • Ensure the merchant doesn’t request sensitive credentials (like full credit card details) that they shouldn’t need. They should only require tokens for processing payments.
6. Review Error Handling:
   • How does the integration handle errors? Does it display helpful error messages to the user without revealing sensitive information about your server or the merchant’s system?
   • Log errors securely for debugging, but avoid logging sensitive data.
7. Test with Dummy Data: Use test API keys and dummy credit card numbers (provided by the merchant) to simulate transactions without real money changing hands.
   • This allows you to verify the integration flow without risking financial loss.
8. Server-Side Communication Only: Crucially, all sensitive communication should happen server-side. Never process payment information directly in the user’s browser.

   // Example of secure server-to-server request (using Python)

   import requests
   
   url = 'https://api.merchant.com/process_payment'
   headers = {'Authorization': 'Bearer YOUR_API_KEY'}
   data = {'amount': 100, 'token': 'PAYMENT_TOKEN'}
   response = requests.post(url, headers=headers, json=data)
   
   if response.status_code == 200:
       # Process successful response
   else:
       # Handle error

9. Regular Security Audits: Schedule regular security audits of your integration to identify and address potential vulnerabilities.