Python service

IBM® Safer Payments can feed data to external Python programs that are out of scope of IBM Safer Payments. To use external Python programs, the underlying Python service must be configured and connected to IBM Safer Payments.

If you use external Python programs to store sensitive data outside of IBM Safer Payments, you must protect this data by fulfilling PCI DSS requirements 3.4.1, 3.5, 3.6, and all applicable subrequirements.

To help identify such cases, the IBM Safer Payments PCI DSS report warns you about model revisions, including challenger revisions, that use external Python programs that reference encrypted attributes.

Important: Python programs are run by the same user that runs IBM Safer Payments. The Python program has the same operating system privileges as that user. Therefore, the permissions of that user must be as restrictive as possible. The IBM Safer Payments user privilege to edit mandators must also be used restrictively as those users are able to upload Python code into the application.

Installing Python

The following Python versions are supported:

  • Python 3.9
  • Python 3.11
  • Python 3.12

Install Python and then configure the Python service.

Configuring the Python service

When IBM Safer Payments was installed, the iris-python-service directory was created under /binaryPath. The iris-python-service directory contains the setup-python-service.sh setup script. The script automates the configuration. It provides the following options:

  • To create a new virtual environment, enter: 
    <path/to>/setup-python-environment.sh

    This creates a new virtual environment and configures its usage.

  • To reuse an existing Python interpreter or environment, enter:
    <path/to>/setup-python-environment.sh <path/to/interpreter>

    This configures the usage of a specific Python interpreter or virtual environment.

  • To use the global Python interpreter, enter: 
    <path/to> /setup-python-environment.sh -gi

    This configures the usage of the global Python interpreter. The python3 command must use an interpreter that points to version 3.9, 3.11, or 3.12.

After the Python service is successfully configured, the following files and a subdirectory are located in the iris-python-service directory:

  • python_interpreter_wrapper

    The python_interpreter_wrapper file is the callout entry point for IBM Safer Payments.

  • *.pyc

    The *.pyc files are the compiled Python service files.

  • venv_py*

    The venv_py* subdirectory contains the virtual environment. It is available only if the first option (create a new virtual environment) was used during configuration.

Important: All non-built-in Python packages that are used in Python scripts and modules must be installed in the configured environment.