Sending cardholder data over public networks
If cardholder data is to be sent over public networks, IBM® Safer Payments must also validate the SSL certificates, and multi-factor authentication is enforced for the API.
If cardholder data is to be sent over public networks, IBM Safer Payments must validate the SSL client certificates for MCI and ECI. Furthermore, API access needs to be secured by using multi-factor authentication. Use either a third-party solution, for example, VPN, or activate the validation of individual API client certificates as the second authentication factor.
Ensure that the Validate client certificate CN option is enabled. This enforces individual certificates for each user. Each user certificate must use the user's login name as the common name (CN).
To configure TLS encryption for FLI communication (the synchronisation between instances), you must define FLI to use asynchronous message transfers. Without asynchronous message transfers, FLI communication cannot use TLS encryption. To enable asynchronous message transfers for FLI, open the FastLink interface configuration.
- Click .
- Scroll down to the FastLink Interface section.
- Select the Asynchronous message transfer checkbox.
- Click the Cluster tab.
- Select a cluster instance.
- Scroll down to the Message Command Interface (MCI) section and select the Validate client certificate checkbox for each endpoint.
- Enter the correct path to the CA certificate file in Client CA certificate file.
- Click the Application Programming tab. Select the Validate
client certificate checkbox. Note: You need a client CA certificate for each IBM Safer Payments instance, and a corresponding certificate for each service consumer that is used to access IBM Safer Payments.
- Enter the correct path to the CA certificate file in Client CA certificate file.
- Click the Encrypted Communication tab. Scroll down within the instance settings to the Encrypted Communication Interface section.
- Select the Validate server certificate and Validate client
certificate checkboxes. Note: You need both a server and client CA certificate for each IBM Safer Payments instance, and a corresponding client certificate.
The encrypted private key is usually stored within the client certificate file but can optionally be stored in a separate file. The Client certificate private key file entry points to the correct location.
- Place the files in the /key/ directory of the instance.
- Optionally, Server CRL file / path and Client CRL file / path can be used to define certificate revocation lists.