Protecting your Website and Payment Applications from Man-In-The-Middle-Attacks

Our API allows merchants and developers to connect to PayJunction via an encrypted SSL communications link. In order for your website or payment application to verify that your connection to PayJunction has not been intercepted, all code that connects to PayJunction must verify the authenticity of our SSL certificate by performing strict server certificate verification against PayJunction's root certificate authority. It has come to our attention that some merchants have disabled the SSL certificate verification for testing purpose; while the SSL connection remains secure, it is possible that an attacker could try to initiate a Man-In-The-Middle attack in an attempt to intercept your website's or applications connection to PayJunction.

Common Mistake: Anyone website or application that does not verify the authenticity of PayJunction's SSL certificate upon connecting to our QuickLink API.

Solution: Turn SSL verification on prior to connecting to PayJunction for transaction authorizations. In the event that your website is unable to verify the authenticity of PayJunction's root certificate, your website and/or application should not transmit any transaction information and should reject your customer's transactions. If you believe your application is unable to verify the authenticity of PayJunction's certificate, contact our support department.

We have updated our knowledge base code examples to reflect best practices for verifying SSL certificates prior to initiating transactions. These code examples are free to view and are provided. As an example fix, we outline a common mistake found in example PHP code:

Incorrect:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);

Correct: 

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);

As you can see, the changes are small and easy to make; but they have a beneficial effect on the security of your systems and help to ensure you maintain PCI compliant connections. Once again, updated code examples have been provided in our support center for your viewing.  Should you have any questions, please contact PayJunction support.

Submit a Request

Submit your support questions here.
We'll be in touch as soon as possible

SUBMIT REQUEST

Got Questions?

We’re here to help. Call us and speak
with a Customer Support Representative.

CALL US

TOLL FREE(800) 601-0230 x3

TOLL(805) 563-1520

BACKUP(805) 426-0404


FAX FREE(800) 771-3821

FAX TOLL(805) 569-3821

Send your Feedback

Let us know how we can improve.
We’re always happy to hear from you!

SEND FEEDBACK