WPG best practice

Worldpay's payment gateway (WPG) is designed to be simple to integrate to and flexible enough to meet your needs. To make the most of your integration with WPG, and to ensure you're always up to date, follow our best practice.

On this page

Trust certificates and the CA root

You must ensure that any systems that contact Worldpay (either server software or browsers) trust certificates signed by the following CA root:

DigiCert Global Root G2

Serial: 03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5

For a limited time, trusting the following legacy root will still allow you to validate Worldpay services, but you must ensure that you add the above root certificate as soon as possible:

VeriSign Class 3 Public Primary Certification Authority - G5

Serial: 18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a

In all cases, you must ensure that you perform validation based on root certificates alone. Intermediate certificates should never be trusted directly as they may change at any time.

WPG end points and domains

Ensure that you:

  • Send messages to fully qualified domains. IP address-based messaging may lead to a break in communications – sometimes we need to move to different IP addresses in our range to communicate with you. For a full list of WPG URLs, see ourDeveloper Guide
  • Use only the hostnames listed below when sending information to Worldpay
  • Only cache domains within the published Time To Live, in order to ensure that you respond to DNS changes in a timely manner
  • Do not use IP address-based firewall restrictions to restrict traffic from Worldpay to you
  • Do not make any assumptions about "redirect" URLs presented by us, or the naming of cookies
  • Do not ‘pin’ SSL certificates

We will always announce a change of CA root or signing algorithm, but we cannot commit to announcing other changes in advance

A full list of WPG end points and domains

  • secure-test.worldpay.com
  • secure.worldpay.com
  • futurepay-test.worldpay.com
  • futurepay.worldpay.com
  • dtd.worldpay.com

Additional hostnames may be communicated to you for specific purposes. These hostnames should only be used for the purposes and for the period of time specified by us.

Your Firewall and IP addresses

To ensure stable and consistent communication with WPG you must not lock down your firewalls to a set number of individual IP addresses.

  • Do not use IP address-based firewall restrictions, or any other restriction, that will restrict traffic from Worldpay to you
  • Do not impose IP address based firewall or proxy restrictions from you to Worldpay
  • We do not support Raw access by IP address to our endpoints. For example, where the host name is not part of the request
  • Do not use a non-standard hostname. For example, a CNAME from your domain to secure.worldpay.com
  • We do not support static DNS or "hosts" files within the customer's environment