API Security
The REST API uses a Bearer Token which is created for you by the Authentication server. Using an 8-digit API username and 36-character API key. Bearer Tokens are used, valid for only 60 minutes.
A valid bearer token must be sent with all API Requests.
Integrations can limit their PCI DSS exposure by using the Payrix JavaScript library, This works by encrypting the payers card client side, so their card data never leaves their environment in plain text. Once generated the token can be passed from their environment and onto Payrix.
Each card token is encrypted using RSA encryption with 2048-bit key size.
These tokens must either be used for a transaction or saved to a payer within 20 minutes, otherwise the token expires. Once a card is saved against a payer, transaction can be generated by the partner software without access to the card data. This again limits the handling of card data by the partner software.
For additional security and to minimise exposure of the API key and Password, the JavaScript token uses a Business Key, that is independent of the other security credentials.