PayJunction Security Requirements and Best Practices for Merchants and Developers

To better server our customers, PayJunction has created a knowledge base called the "PayJunction Security Requirements and Best Practices for Merchants and Developers."

This knowledge base is designed to give you simple and specific supplemental information that will help ensure your systems maintain PCI compliance.

PayJunction will be updating this knowledge base from time to time. We believe that by sharing common mistakes, our merchants and developers can learn from them, and better protect their own systems.

Requirements

1. Merchant shall comply with the PCI Data Security Standard (PCI DSS) located at:
   1. http://www.pcisecuritystandards.org
   2. See also: PayJunction PCI Compliance program 
2. Merchant shall comply with the "Rules" as specified by the card brand associations:
   1. https://usa.visa.com/support/consumer/visa-rules.html
   2. https://www.mastercard.us/en-us/about-mastercard/what-we-do/rules.html
   3. https://icm.aexp-static.com/Internet/NGMS/US_en/Images/MerchantPolicyOptBlue.pdf
3. Merchant shall secure its logins and passwords at all times.
4. Merchant shall maintain a valid SSL certificate for any websites Merchant controls that processes cardholder data.
5. Merchant shall ensure that the code used to connect to PayJunction shall verify the authenticity of the PayJunction SSL security certificate located at PayJunction's website prior to processing all transactions; if Merchants code is unable to verify the authenticity of the PayJunction SSL certificate, merchant shall decline the transaction and immediately contact PayJunction for support.  This is necessary to prevent "man in the middle" attacks against the Merchant's connections.
   1. Protecting your Website and Payment Applications from Man-In-The-Middle Attacks
6. Under no circumstance shall Merchant store, process, or transmit Cardholder Data in an unencrypted manner (see PCI DSS).
7. Merchants are required to establish internal security policies and procedures to protect sensitive data including cardholder accounts and ACH Entry Data in accordance with the rules of PCI and NACHA.

Best Practices

It is recommended that Merchant use SSL certificates with a minimum 2048 bit encryption or greater where applicable. The SSL certificate industry as a whole is moving away from using security certificates with 1024 bit encryption or less. It has been determined that breaking 1024 bit encrypting on an individual certificate level does not provide a sufficient level of encryption.

• http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf