All of the requests that are submitted to the Base Commerce Platform are transmitted via a HTTPS connection. In addition to the utilization of the TLS 1.2 protocol, we also require that the payload (financial information) of the request and responses be Triple DES Encrypted.
Each merchant and development partner are issued a unique username, password, and transaction key that is used when communicating with the platform. On the client side of the SDK, the transaction key is used to Triple DES encrypt the payload of the request, which is then submitted to our servers along with the username and password via TLS 1.2 where our servers retrieve the key associated with the username and password to decrypt the request. This added layer of encryption provides protection against the possibility of compromised SSL certificates and man in the middle attacks.
In addition to secure coding practices, Base Commerce also uses a physical layer of protection in cardholder-present environments. By selecting a device from our approved hardware list, your cardholder data will be encrypted at the magnetic head when the card is swiped by using a unique key for each transaction on each device. This is known as the DUKPT key management scheme. This added layer of protection in the physical world protects against malicious software that may be installed on the devices of your users, which is what lead to the largest cardholder data breach in 2014 at several large retailers.
If you are not already utilizing jQuery within your website, include the following script tag as well:
This method will look for the form fields "credit_card_number," "credit_card"cvv," "routing_number," and "account_number," and encrypt the data prior to being sent to your server. If you are not using these form fields, or want to specify your own form fields use the following:
Alternatively, if you don't want it to overwrite your form and you just want to encrypt the fields, after you initialize the CipherPay object, if you call this to encrypt those fields for you:
CypherPay will then encrypt the data in the specified fields prior to transmitting it to your servers. Once you have the encrypted data at your server, using our SDK simply set the appropriate fields as follows: