PayJunction Security Requirements and Best Practices for Merchants and Developers

To better server our customers, PayJunction has created a knowledge base called the "PayJunction Security Requirements and Best Practices for Merchants and Developers."

This knowledge base is designed to give you simple and specific supplemental information that will help ensure your systems maintain PCI compliance.

PayJunction will be updating this knowledge base from time to time. We believe that by sharing common mistakes, our merchants and developers can learn from them, and better protect their own systems.

Requirements

  1. Merchant shall comply with the PCI Data Security Standard (PCI DSS) located at:
    1. http://www.pcisecuritystandards.org
  2. Merchant shall comply with the "Rules" as specified by the card brand associations:
    1. http://usa.visa.com/download/merchants/rules_for_visa_merchants.pdf
    2. http://www.mastercard.com/global/merchant/index.html
    3. https://www209.americanexpress.com/merchant/singlevoice/USEng/FrontServlet?request_type=navigate&page=merchantPolicy
  3. Merchant shall secure its logins and passwords at all times.
  4. Merchant shall maintain a valid SSL certificate for any websites Merchant controls that processes cardholder data.
  5. Merchant shall ensure that the code used to connect to PayJunction shall verify the authenticity of the PayJunction SSL security certificate located at PayJunction's website prior to processing all transactions; if Merchants code is unable to verify the authenticity of the PayJunction SSL certificate, merchant shall decline the transaction and immediately contact PayJunction for support.  This is necessary to prevent "man in the middle" attacks against the Merchant's connections.
    1. Protecting your Website and Payment Applications from Man-In-The-Middle Attacks
  6. Under no circumstance shall Merchant store, process, or transmit Cardholder Data in an unencrypted manner (see PCI DSS).

Best Practices

It is recommended that Merchant use SSL certificates with a minimum 2048 bit encryption or greater where applicable. The SSL certificate industry as a whole is moving away from using security certificates with 1024 bit encryption or less. It has been determined that breaking 1024 bit encrypting on an individual certificate level does not provide a sufficient level of encryption.

Submit a Request

Submit your support questions here.
We'll be in touch as soon as possible

SUBMIT REQUEST

Got Questions?

We’re here to help. Call us and speak
with a Customer Support Representative.

CALL US

TOLL FREE(800) 601-0230 x3

TOLL(805) 563-1520

BACKUP(805) 426-0404


FAX FREE(800) 771-3821

FAX TOLL(805) 569-3821

Send your Feedback

Let us know how we can improve.
We’re always happy to hear from you!

SEND FEEDBACK