QuickStream complies with Payment Cards Industry Data Security Standard (PCI DSS) Level 1. To ensure QuickStream maintains this high level of security there are a number of security requirements that must be adhered to. These are listed below.
See also PCI-DSS compliance in QuickStream.
No client specific dynamic content
QuickStream pages may contain sensitive data such as card details. The restrictions mentioned above help prevent attacks such as Cross Site Scripting (XSS).
No remote assets
QuickStream hosted solution payment pages will not fetch content from any third-party server. All branding resources such as images and stylesheets will be stored on and served from QuickStream servers.
Cookies are required
QuickStream requires session cookies to be enabled in your customer's browser. Session cookies are only used to maintain state while accessing QuickStream. No permanent information is stored on the client's computer once the browser is closed.
Trusting the QuickStream server
When your server exchanges information with QuickStream over
HTTPS it must trust the root-level certificate..
Excessive failures - IP blacklisting
To prevent fraud, QuickStream will monitor IP addresses and transactions. If any suspicious behaviour is detected we will blacklist the IP address to prevent it from accessing QuickStream again.
QuickStream hosted solutions uses CAPTCHA to prevent attackers from using the website to validate stolen card details. The term CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart". The CAPTCHA program randomly generates a distorted "word" that humans can read but computer programs can't.
QuickStream hosted solutions processes payments using the most up to date security best practices. Analytics sends usage data from hosted payment pages via the web browser to a third-party system which cannot be guaranteed as secure and may comprise the sensitive data of your customers. Due to this, hosted payment page solutions do not support incorporating analytics code or tools where data is gathered in the customer's browser.
Transport layer security (TLS)
QuickStream hosted solutions require Secure token request and web browser access made using the encryption standard known as
TLSv1.2. QuickStream hosted solutions reject requests made using
If you receive an error that resembles the error message below, then the underlying TLS connection was not successful. Your systems need adjustments or upgrades to work properly with this service.
TLSv1 is not strong encryption, please use TLSv1.2 instead
HTTP 429 Too Many Requests
You may receive a
HTTP 429 Too Many Requests response code when you have sent too many requests in a given amount of time.
If you send more than 10 simultaneous requests, you may receive a
HTTP 429 Too Many Requests response code. You should wait for 20 seconds and resend the request.
Standard network ports for HTTP transmissions
QuickStream sends Server-to-server notifications via
HTTPS on standard ports
443. Other network ports are not available.
REST API credentials and security
Refer to Fraud Guard.