Best Practices and Data Security Compliance
note
Support for GET Method is deprecated for Process.do and ProcessXML.do and should not be used to post transaction requests to Converge.
important
New API Parameters:
- We will occasionally add new API parameters in Converge’s responses and Export Scripts (webhooks). We urge you to build flexibility into your integrated application so that when a new API parameter is received in the response, it is ignored by your application until you decide to take action on the new parameter.
Integration Best Practices
These integration best practices describe ways to increase data security and reduce the risks of fraudulent activities.
Use HTTP referrers on terminals to only accept transactions from a pre-approved list of websites.
Elavon strongly recommends passing and storing sensitive/confidential merchant data and Converge credentials through server-side code instead of client-side code.
Do not use iFrame with any integration methods or payment options besides Lightbox.
Always submit data to Converge through Hyper Text Transfer Protocol Secure (HTTPS) using the POST method.
Establish an adequate timeout value to prepare for delays or connection issues. Elavon recommends setting the timeout value to 30 – 60 seconds.
Set up a duplicate check rule in the terminal to prevent processing the same transaction more than one time.
Generate an End of Day summary report before settlement to compare and match the data with the POS system.
Use the Auto Pend feature on accounts that automatically settle to be able to review transactions and prevent settling fraudulent transactions.
Elavon recommends creating a user ID (different from the Merchant Admin account) to manage the daily activities such as transaction processing from websites, transaction reviews, and settlements.
Converge API requires the passing of a user ID for all transaction requests. This user ID must be different from the user ID for logging in to the Converge user interface. The user ID passed in the transaction request must be associated with the PIN of the terminal that will process the transaction.
Set terminal options in the Converge Administrative page instead of the payment page.
Set business rules to build constraints that match the merchant’s business needs and to control the manner by which transactions are handled.
Set up fraud prevention rules to prevent suspicious and costly fraudulent transactions.
Elavon recommends not using custom fields to pass sensitive data like the full card number, expiration date, Track data, and card security code.
Data Security Compliance
Elavon requires merchants and integrators that use Converge to support customer compliance with the Payment Card Industry–Data Security Standard (PCI-DSS) guidelines. The PCI-DSS are a set of requirements that enhance the security of payment account data. The core principles and requirements of the PCI-DSS are as follows:
Build and Maintain Secure Networks
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regular Network Monitoring and Testing
Maintain Information Security Policies
The Payment Application–Data Security Standard (PA–DSS) provides merchants and integrators with the guidelines to develop secure payment applications that follow the PCI–DSS and don’t store sensitive data. The summarized PA–DSS guidelines that payment applications integrating to Converge must comply with are:
Non-retention of full magnetic stripe data, card validation code (CAV2, CID, CVV2, CVC2), or PIN block data.
Protection of stored cardholder data.
Availability of secure authentication features.
Logging of payment application activities.
Protection for wireless transmissions.
Facilitation of secure network implementations.
Non-collection and storing of cardholder data on an Internet-connected server.
Facilitation of secure remote network updates.
Facilitation of secure remote access to payment applications.
Encryption of sensitive traffic over public networks.
Encryption of all non-console administrative access.
Maintenance of instructional documentation and training programs for customers, resellers, and integrators.
This table lists the PCI-DSS and PA-DSS resources for Data Security Compliance.
Resource | Description |
---|---|
PCI Security Standards Councilopen_in_newLink opens new window | An open global forum for ongoing development, enhancement, storage, dissemination, and implementation of security standards for account data protection. |
PCI Security Documents Libraryopen_in_newLink opens new window | A list of documents covering a range of Payments Card Industry topics. If you need more information on PCI security and compliance, you can probably find some information here. |
PIN Transaction Security (PTS) Devicesopen_in_newLink opens new window | List of approved PTS devices. |
Payment Application–Data Security Standard (PA-DSS)open_in_newLink opens new window | Complete list and description of PA–DSS guidelines. |
PA–DSS Program Guideopen_in_newLink opens new window | PCI’s PA – DSS Program Guide |