Securing The Online Shop

Securing the online shop

Payment Card Industry Data Security Standard

The Payment Card Data Security Standard is a binding set of rules and procedures established by four major credit card companies (Visa, Mastercard, Discover and American Express) in 2004 and is aimed at companies that accept credit cards as payment method. The primary objective of PCI DSS is the prevention of fraud and theft of credit card data on the Internet.

Self-Assessment Questionnaires

Self-Assessment Questionnaires (SAQ) are tools that merchant may use upon request by the acquirer to determine whether the online shop meets established PCI DSS requirements.

SAQ Compliance for the Online Shop

To ensure the highest level of data security, the acquirer will request to fill out a specific Self-Assessment Questionnaire (SAQ) prior to concluding an acceptance contract with the merchant. The handling and management of sensitive financial data in online shops is always a crucial issue in fulfilling the relevant SAQs and obtaining PCI-compliance. However, there is no need for the online shop to handle or store sensitive data since all necessary financial and personal data required for the payment process are handled by the QENTA Checkout Server.

When choosing QENTA as the PCI-compliant third-party payment processor, it becomes much easier to comply with the relevant SAQ requested by the acquirer and no additional PCI-compliance for the online shop is required.

Applicable SAQs for QENTA Solutions

There are various SAQ versions available to select from to best suit the business profile. The following SAQs are applicable when using QENTA products:

SAQ version	Business scenario	Applicable for QENTA solution
SAQ A	Applicable for card-not-present merchants, when all cardholder data functions are outsourced to a PCI-compliant payment processor. Eligible e-commerce implementations: when the merchant website is entirely hosted and administered by a compliant third-party payment processor, or provides an iframe to a PCI-compliant third-party payment processor or contains a URL link redirecting consumers from the merchant website to a PCI-compliant payment processor. Visit implementation examples eligible for SAQ A vs. SAQ A-EP for more information and details.	QPAY Checkout Page in the native app as a web view.
QMORE Checkout Seamless with "PCI DSS SAQ A Compliance" in the native app as a web view.
SAQ A-EP	Applicable for card-not-present merchants who partially outsource their e-commerce payment channel to PCI DSS validated third parties and don’t electronically store, process or transmit any cardholder data on their systems or premises.	QMORE Checkout Seamless without "PCI DSS SAQ A Compliance" in the native app as a web view.
SAQ C-VT	Applicable for merchants using only web-based virtual terminals, without electronic cardholder Data Storage.	QCALL Checkout Terminal
SAQ D	All other merchants not covered by any SAQ and all service providers defined by a payment brand as eligible to complete a SAQ.	QFILE Checkout Automated

SAQ version

Business scenario

Applicable for QENTA solution

SAQ A

Applicable for card-not-present merchants, when all cardholder data functions are outsourced to a PCI-compliant payment processor. Eligible e-commerce implementations: when the merchant website is entirely hosted and administered by a compliant third-party payment processor, or provides an iframe to a PCI-compliant third-party payment processor or contains a URL link redirecting consumers from the merchant website to a PCI-compliant payment processor. Visit implementation examples eligible for SAQ A vs. SAQ A-EP for more information and details.

QPAY Checkout Page in the native app as a web view.

QMORE Checkout Seamless with "PCI DSS SAQ A Compliance" in the native app as a web view.

SAQ A-EP

Applicable for card-not-present merchants who partially outsource their e-commerce payment channel to PCI DSS validated third parties and don’t electronically store, process or transmit any cardholder data on their systems or premises.

QMORE Checkout Seamless without "PCI DSS SAQ A Compliance" in the native app as a web view.

SAQ C-VT

Applicable for merchants using only web-based virtual terminals, without electronic cardholder Data Storage.

QCALL Checkout Terminal

SAQ D

All other merchants not covered by any SAQ and all service providers defined by a payment brand as eligible to complete a SAQ.

QFILE Checkout Automated

Put the file(s) where the secret or password is defined within a folder on the file system of the web server which can’t be accessed by users accessing the web server via their web browsers.

Encrypting the online shop

It is strongly recommended to encrypt any communication in the online shop to allow access only by secure communication via https.

QPAY Checkout Page and QMORE Checkout Seamless also use secure communication based on https and if the online shop or parts of the online shop are accessed by http the consumer in the online shop will receive the security warning from the web browser.

Saving order data and payment process results

It is strongly recommended to save all relevant order data of each purchase and of each consumer before starting the QPAY Checkout Page or QMORE Checkout Seamless immediately after the payment has been made by the consumer. This way assign and correlate each order with the relevant payment process results at a later date.

Disabling change of shopping basket

Ensure, according to the functionalities of the online shop, that the consumer has no possibility to change the items in the shopping basket once the payment process was started.

Check all security updates available for the software that is used within the online shop, database, and web server on a regular basis.

Have a look at OWASP regarding typical security risks and their impacts on online sites.

Scheduled Backups

Configure scheduled backups for all order and checkout-related information of the consumers of the online shop to ensure that the merchant has these data at their disposal in case of any later complaints or frauds.

Secret

A secret is a pre-shared key that is only known to the merchant, the integrator of the online shop and QENTA Payment CEE.

The secret is used to secure the transfer of all sensitive parameters and their values between the online shop and the QPAY Checkout Page and QMORE Checkout Seamless.

To ensure secure communication it’s essential to NEVER disclose or share the pre-shared key with persons who are not involved in developing the online shop!
Never forward this pre-shared key via unsecured communication channels. When the pre-shared key is submitted by fax make sure that the contents of the fax are disclosed only to the intended and authorized persons!
Never send the secret as a parameter to the QPAY Checkout Page or QMORE Checkout Seamless!

If there is any suspicion that the pre-shared key is known to unauthorized persons contact our integration specialists immediately to request the creation and submission of a new secret.

Fingerprint

A fingerprint is a method to ensure that sensitive parameters and their values sent from the online shop to the QENTA Checkout Server and vice versa are not changed by anyone while transferring the data over the Internet.

A fingerprint is created by concatenating all parameter values to a string and hashing this string by an HMAC-SHA-512 algorithm using the secret as a cryptographic key.

When submitting data from the online shop to QENTA Checkout products the merchant also transmits the fingerprint and the name and order of all parameters used for creating the fingerprint. The QENTA Checkout Server then creates the fingerprint of all received parameter values with the specific secret stored in the QENTA Checkout Server. If the fingerprint that is sent and the fingerprint computed on the QENTA Checkout Server are identical, the values of the parameters transmitted by the merchant were not modified, e.g. during a man-in-the-middle attack.

For response fingerprint calculation: if magic_quotes_gpc or magic_quotes_runtime is enabled on the server or in the shop, use slashes to remove unnecessary slashes within the fingerprint seed.

Firewall Settings

When integrating QPAY Checkout Page or QMORE Checkout Seamless into the online shop adjust the security settings of the firewall and enable outgoing communication to the server:
api.qenta.com-212.183.46.18

To receive confirmation information from QENTA regarding a transaction via the confirmUrl enable incoming communication from our following IP address 212.183.46.16/28.