Skip to main content

Security

QuickStream complies with Payment Cards Industry Data Security Standard (PCI DSS) Level 1. To ensure QuickStream maintains this high level of security there are a number of security requirements that must be adhered to. These are listed below.

See also PCI-DSS compliance in QuickStream.

No client specific dynamic content

QuickStream hosted solution payment pages will not contain any client specified dynamic content. You cannot provide JavaScript or other dynamic content to be used in these solutions. In particular no site measurement JavaScript or links will be added to any webpage.

QuickStream pages may contain sensitive data such as card details. The restrictions mentioned above help prevent attacks such as Cross Site Scripting (XSS).

No remote assets

QuickStream hosted solution payment pages will not fetch content from any third-party server. All branding resources such as images and stylesheets will be stored on and served from QuickStream servers.

Cookies are required

QuickStream requires session cookies to be enabled in your customer's browser. Session cookies are only used to maintain state while accessing QuickStream. No permanent information is stored on the client's computer once the browser is closed.

Trusting the QuickStream server

When your server exchanges information with QuickStream over HTTPS it must trust the root-level certificate..

Excessive failures - IP blacklisting

To prevent fraud, QuickStream will monitor IP addresses and transactions. If any suspicious behaviour is detected we will blacklist the IP address to prevent it from accessing QuickStream again.

CAPTCHA

QuickStream hosted solutions uses CAPTCHA to prevent attackers from using the website to validate stolen card details. The term CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart". The CAPTCHA program randomly generates a distorted "word" that humans can read but computer programs can't.

Web analytics

QuickStream hosted solutions processes payments using the most up to date security best practices. Analytics sends usage data from hosted payment pages via the web browser to a third-party system which cannot be guaranteed as secure and may comprise the sensitive data of your customers. Due to this, hosted payment page solutions do not support incorporating analytics code or tools where data is gathered in the customer's browser.

Transport layer security (TLS)

QuickStream hosted solutions require Secure token request and web browser access made using the encryption standard known as TLSv1.2. QuickStream hosted solutions reject requests made using TLSv1, or TLSv1.1.

If you receive an error that resembles the error message below, then the underlying TLS connection was not successful. Your systems need adjustments or upgrades to work properly with this service.

TLSv1 is not strong encryption, please use TLSv1.2 instead

HTTP 429 Too Many Requests

You may receive a HTTP 429 Too Many Requests response code when you have sent too many requests in a given amount of time.

If you send more than 10 simultaneous requests, you may receive a HTTP 429 Too Many Requests response code. You should wait for 20 seconds and resend the request.

Standard network ports for HTTP transmissions

QuickStream sends Server-to-server notifications via HTTPS on standard ports 80 and 443. Other network ports are not available.

REST API credentials and security

Refer to QuickStream REST API credentials and security.

Fraud Guard

Refer to Fraud Guard.

Disclaimer

The information contained in this publication is provided for learning purposes only and is subject to change. Revisions may be issued from time to time that encompass changes or additions to this module.

This is a guide only and it is not comprehensive. It does not impinge on or overrule any formal arrangement you may enter into with the Bank. The Bank and its officers shall not have any liability for any losses of any kind incurred in connection with any action, inaction or decision taken in reliance on the information herein or for any inaccuracies, errors or omissions. In this publication references to the "Bank" are to Westpac Banking Corporation ABN 33 007 457 141 and to any of its operating Divisions, including BankSA and St.George.