Skip to main content


QuickStream complies with Payment Cards Industry Data Security Standard (PCI DSS) Level 1. To ensure QuickStream maintains this high level of security there are a number of security requirements that must be adhered to. These are listed below.

See also PCI-DSS compliance in QuickStream.

No client specific dynamic content

QuickStream hosted solution payment pages will not contain any client specified dynamic content. You cannot provide JavaScript or other dynamic content to be used in these solutions. In particular no site measurement JavaScript or links will be added to any webpage.

QuickStream pages may contain sensitive data such as card details. The restrictions mentioned above help prevent attacks such as Cross Site Scripting (XSS).

No remote assets

QuickStream hosted solution payment pages will not fetch content from any third-party server. All branding resources such as images and stylesheets will be stored on and served from QuickStream servers.

Cookies are required

QuickStream requires session cookies to be enabled in your customer's browser. Session cookies are only used to maintain state while accessing QuickStream. No permanent information is stored on the client's computer once the browser is closed.

Trusting the QuickStream server

When your server exchanges information with QuickStream over HTTPS it must trust the root-level certificate..

Excessive failures - IP blacklisting

To prevent fraud, QuickStream will monitor IP addresses and transactions. If any suspicious behaviour is detected we will blacklist the IP address to prevent it from accessing QuickStream again.


QuickStream hosted solutions uses CAPTCHA to prevent attackers from using the website to validate stolen card details. The term CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart". The CAPTCHA program randomly generates a distorted "word" that humans can read but computer programs can't.

Web analytics

QuickStream hosted solutions processes payments using the most up to date security best practices. Analytics sends usage data from hosted payment pages via the web browser to a third-party system which cannot be guaranteed as secure and may comprise the sensitive data of your customers. Due to this, hosted payment page solutions do not support incorporating analytics code or tools where data is gathered in the customer's browser.

Transport layer security (TLS)

QuickStream hosted solutions require Secure token request and web browser access made using the encryption standard known as TLSv1.2. QuickStream hosted solutions reject requests made using TLSv1, or TLSv1.1.

If you receive an error that resembles the error message below, then the underlying TLS connection was not successful. Your systems need adjustments or upgrades to work properly with this service.

TLSv1 is not strong encryption, please use TLSv1.2 instead

HTTP 429 Too Many Requests

You may receive a HTTP 429 Too Many Requests response code when you have sent too many requests in a given amount of time.

If you send more than 10 simultaneous requests, you may receive a HTTP 429 Too Many Requests response code. You should wait for 20 seconds and resend the request.

Standard network ports for HTTP transmissions

QuickStream sends Server-to-server notifications via HTTPS on standard ports 80 and 443. Other network ports are not available.

REST API credentials and security

Refer to QuickStream REST API credentials and security.

Fraud Guard

Refer to Fraud Guard.

Westpac Privacy Statement

Privacy Statement (for individuals whose personal information may be collected - in this clause referred to as "you"). All personal information we collect about you is collected, used and disclosed by us in accordance with our Privacy Statement which is available at Privacy Statement or by calling us through your relationship manager or Westpac representative. Our Privacy Statement also provides information about how you can access and correct your personal information and make a complaint. You do not have to provide us with any personal information but, if you don't, we may not be able to process an application or a request for a product or service.