Sending cardholder data over public networks

If cardholder data is to be sent over public networks, IBM® Safer Payments must also validate the SSL certificates, and multi-factor authentication is enforced for the API.

If cardholder data is to be sent over public networks, IBM Safer Payments must validate the SSL client certificates for MCI and ECI. Furthermore, API access needs to be secured by using multi-factor authentication. Use either a third-party solution, for example, VPN, or activate the validation of individual API client certificates as the second authentication factor.

Ensure that the Validate client certificate CN option is enabled. This enforces individual certificates for each user. Each user certificate must use the user's login name as the common name (CN).

Note: Before you activate this option, create client certificates at least for IBM Safer Payments administrators. For more information, see Creating certificates with OpenSSL.

To configure TLS encryption for FLI communication (the synchronisation between instances), you must define FLI to use asynchronous message transfers. Without asynchronous message transfers, FLI communication cannot use TLS encryption. To enable asynchronous message transfers for FLI, open the FastLink interface configuration.

  1. Click Administration > System > Configuration.
  2. Scroll down to the FastLink Interface section.
  3. Select the Asynchronous message transfer checkbox.
To change the API, MCI, and ECI settings, open the instance configuration for each cluster instance.
  1. Click the Cluster tab.
  2. Select a cluster instance.
  3. Scroll down to the Message Command Interface (MCI) section and select the Validate client certificate checkbox for each endpoint.
  4. Enter the correct path to the CA certificate file in Client CA certificate file.
    Figure 1. Message Command Interface (MCI) section
    This image is explained in the surrounding text.
  5. Click the Application Programming tab. Select the Validate client certificate checkbox.
    Note: You need a client CA certificate for each IBM Safer Payments instance, and a corresponding certificate for each service consumer that is used to access IBM Safer Payments.
  6. Enter the correct path to the CA certificate file in Client CA certificate file.
    Figure 2. Application Programming Interface (API) section
    This image is explained in the surrounding text.
  7. Click the Encrypted Communication tab. Scroll down within the instance settings to the Encrypted Communication Interface section.
    Figure 3. Encrypted Communication Interface (ECI) section
    This image is explained in the surrounding text.
  8. Select the Validate server certificate and Validate client certificate checkboxes.
    Note: You need both a server and client CA certificate for each IBM Safer Payments instance, and a corresponding client certificate.

    The encrypted private key is usually stored within the client certificate file but can optionally be stored in a separate file. The Client certificate private key file entry points to the correct location.

  9. Place the files in the /key/ directory of the instance.
  10. Optionally, Server CRL file / path and Client CRL file / path can be used to define certificate revocation lists.