...
We will continue to notify you of any suspicious authorization activity that may be potential card testing, but additionally, we worked in partnership with the Card Brands to produce a list below of best practices to assist with any mitigation efforts:
Note |
---|
Actions
|
Tip |
---|
Awareness
|
...
PayFields Best Practices
The Payrix PayFields and PayFrame products are typically used as a hosted checkout field on public payment pages, such as shopping card checkout, company payment pages, donation pages, and other publicly viewable payment pages. As these payment pages can be viewed and utilized in a public space, they can be vulnerable to to be used for card testing purposes.
It is recommend to follow a few best practices when utilizing PayFields in a public form to ensure the security of the information and to deter anyone from using PayFields for card testing:
Ensure that the API key that is used with the PayFields is a public API key:
We have two types of API keys, a public and a private key. The public key is limited to certain POST calls, while a private key can be used for GET calls, and can be used to gain more access to an account. If a payment page is public a Private API key should never be used in that page.
Created a dedicated user to host the API key:
The API key will inherit the level of access from the user that it is associated with. Creating a specific user that is designated as the user for the API key, will allow you to limit the access that the API key is granted.
Only utilize PayFields to create tokens:
This may seem counterintuitive, since PayFields has the abilty to create transactions right there, but this can add a great layer of security. Below I will outline the steps that you can take to integrate in this manner.
Expand | ||
---|---|---|
| ||
|
This will allow you to create velocity controls within your own environment. If you notice traffic coming from a specific source that is higher than expected, you can block it before it even comes through to Payrix
Add additional Transaction decisions
We recommend adding a failed authorization rule on all merchants. In the event that someone does start to use the page for card testing, this will mitigate the exposure, as they will continue to get blocked when the number of declines exceeds the rule in place, which will ultimately guide them to go elsewhere.
Create a rolling API key, so that there isn’t one API key in use for more than a specific timeframe
In the event that an API key is compromised, the shorter the amount of time it remains active will help to mitigate any potential undesired outcomes. What you can do to avoid this, is to create a rolling API key, so that a new API key is utilized every 6 hours. Below are the steps that you can use to completed this.
Expand | ||
---|---|---|
| ||
|