PayFields and PayFrames are used as a hosted checkout field on public payment pages, such as shopping card checkout, company payment pages, donation pages, and other publicly viewable payment pages.
As these payment pages are used publicly with customers, they may become vulnerable to general card testing misuse or attacks. To mitigate these types of security risks and deter misuse, follow the best practices for security while using PayFields in a public setting.
API Keys, used to authenticate the PayFields transaction, can be public or private. It is important to follow the best practices below to ensure you’re using the correct API Key. Each API key will also inherit the level of access from the user that it is associated with.
Users can add take simple steps with their API Keys to keep them secure and prevent card testing misuse and attacks:
Never use a private API Key to configure a public PayFields payment page.
Create a dedicated user to host the API key and control or limit access.
Create new “rolling” API Keys every 6 hours if you suspect your original API key has been compromised. (See steps below).
Utilizing your private/master API key, create a new API key using the dedicated user from earlier.
Apply this new API key to your PayFields set up
Every 6 hours, create another new API key with the dedicated user, and update the PayFields API Key.
Delete the previous API key 2 hours after you have updated the PayFields.
It is best to wait about 2 hours to deactivate the previous API key as a user may have the page opened, where old key is still cached.
More Best Practices
Using PayFields to Create Payment Tokens
By using PayFields to create a token rather than directly process the transaction you could prevent actual card transactions from being attempted unless processed through the API using a tokenized version of the card, adding an additional layer of security.
This will allow you to create velocity controls within your own environment. If you notice traffic coming from a specific source that is higher than expected, you can block it before it even comes through to Payrix
See steps below to create tokens with PayFields:
Create a login that will be dedicated to PayField transactions
Create a public API key associated with this login
Set the permissions on the login to only be able to create tokens
Set up your PayFields to only create tokens
When the customer runs their payment request, you will receive the token ID
Run a sale transaction from your host server via the Payrix API using the token
Respond to the customer with the result of the transaction
Add a Failed Authorization Transaction Rule
Another recommended security measure is to add a “failed authorization rule” on all Merchants.
This rule will quickly identify card testing misuse and block additional transactions after the number of declines has exceeded that rule. This lack of function will deter the misuse and mitigate any additional exposure from card testing misuse or attacks.