5 Secure Communications for Simphony Payment Interface
The Simphony Payment Interface (SPI) is a set of messages exchanged between the Simphony Transaction System and Payment Service Providers (PSPs). The purpose of the interface is to securely collect electronic payments, keeping the transaction system free of Payment Card Industry (PCI) data.
Simphony configurations must use a secure channel to communicate with PSPs. The level of security varies depending on the provider. The following list contains more information about secure communications with PSPs:
-
Without TLS Support: Simphony communicates with the PSP by using a standard HTTP connection without encryption. In addition to using this configuration, other compensating controls (such as Microsoft NT LAN Manager) can be used to secure the network channel.
-
With TLS Support: This configuration type has two options:
-
Without Certificates: The communication is secure, but the PSP does not provide a certificate and the client cannot validate the server private key.
-
With Certificates: Certificates are used to validate the server public key. The following certificate types are used by PSPs:
-
Certificates from a known Certificate Authority
-
Self-signed certificates
-
A provided .cer file
-
-
TLS Client Certificate Support
Client Certificates can be used in a similar manner as Server Certificates to validate that the client is a trusted client.
Certificate Handling by PSPs outside the scope of Client Certificates are known as .pfx files. They contain both private and public keys, along with a password to access the file. This file is sensitive and must be handled securely.