Best Practices and Data Security Compliance

note

Support for GET Method is deprecated for Process.do and ProcessXML.do and should not be used to post transaction requests to Converge.

important

New API Parameters:

  • We will occasionally add new API parameters in Converge’s responses and Export Scripts (webhooks). We urge you to build flexibility into your integrated application so that when a new API parameter is received in the response, it is ignored by your application until you decide to take action on the new parameter.

Integration Best Practices

These integration best practices describe ways to increase data security and reduce the risks of fraudulent activities.

  1. Use HTTP referrers on terminals to only accept transactions from a pre-approved list of websites.

  2. Elavon strongly recommends passing and storing sensitive/confidential merchant data and Converge credentials through server-side code instead of client-side code.

  3. Do not use iFrame with any integration methods or payment options besides Lightbox.

  4. Always submit data to Converge through Hyper Text Transfer Protocol Secure (HTTPS) using the POST method.

  5. Establish an adequate timeout value to prepare for delays or connection issues. Elavon recommends setting the timeout value to 30 – 60 seconds.

  6. Set up a duplicate check rule in the terminal to prevent processing the same transaction more than one time.

  7. Generate an End of Day summary report before settlement to compare and match the data with the POS system.

  8. Use the Auto Pend feature on accounts that automatically settle to be able to review transactions and prevent settling fraudulent transactions.

  9. Elavon recommends creating a user ID (different from the Merchant Admin account) to manage the daily activities such as transaction processing from websites, transaction reviews, and settlements.

  10. Converge API requires the passing of a user ID for all transaction requests. This user ID must be different from the user ID for logging in to the Converge user interface. The user ID passed in the transaction request must be associated with the PIN of the terminal that will process the transaction.

  11. Set terminal options in the Converge Administrative page instead of the payment page.

  12. Set business rules to build constraints that match the merchant’s business needs and to control the manner by which transactions are handled.

  13. Set up fraud prevention rules to prevent suspicious and costly fraudulent transactions.

  14. Elavon recommends not using custom fields to pass sensitive data like the full card number, expiration date, Track data, and card security code.

Data Security Compliance

Elavon requires merchants and integrators that use Converge to support customer compliance with the Payment Card Industry–Data Security Standard (PCI-DSS) guidelines. The PCI-DSS are a set of requirements that enhance the security of payment account data. The core principles and requirements of the PCI-DSS are as follows:

  • Build and Maintain Secure Networks

  • Protect Cardholder Data

  • Maintain a Vulnerability Management Program

  • Implement Strong Access Control Measures

  • Regular Network Monitoring and Testing

  • Maintain Information Security Policies

The Payment Application–Data Security Standard (PA–DSS) provides merchants and integrators with the guidelines to develop secure payment applications that follow the PCI–DSS and don’t store sensitive data. The summarized PA–DSS guidelines that payment applications integrating to Converge must comply with are:

  1. Non-retention of full magnetic stripe data, card validation code (CAV2, CID, CVV2, CVC2), or PIN block data.

  2. Protection of stored cardholder data.

  3. Availability of secure authentication features.

  4. Logging of payment application activities.

  5. Protection for wireless transmissions.

  6. Facilitation of secure network implementations.

  7. Non-collection and storing of cardholder data on an Internet-connected server.

  8. Facilitation of secure remote network updates.

  9. Facilitation of secure remote access to payment applications.

  10. Encryption of sensitive traffic over public networks.

  11. Encryption of all non-console administrative access.

  12. Maintenance of instructional documentation and training programs for customers, resellers, and integrators.

This table lists the PCI-DSS and PA-DSS resources for Data Security Compliance.

ResourceDescription
PCI Security Standards CouncilLink opens new windowAn open global forum for ongoing development, enhancement, storage, dissemination, and implementation of security standards for account data protection.
PCI Security Documents LibraryLink opens new windowA list of documents covering a range of Payments Card Industry topics. If you need more information on PCI security and compliance, you can probably find some information here.
PIN Transaction Security (PTS) DevicesLink opens new windowList of approved PTS devices.
Payment Application–Data Security Standard (PA-DSS)Link opens new windowComplete list and description of PA–DSS guidelines.
PA–DSS Program GuideLink opens new windowPCI’s PA – DSS Program Guide