Security best practices
This document describes our secure ciphers, qualified domain names and appropriate certificate checks you should complete to ensure the services are authentic.
Domain Names
See below our Access Worldpay endpoints/Fully Qualified Domain Names (FQDN):
Test domain
try.access.worldpay.com
Production domain
access.worldpay.com
Considerations:
Ensure you only use the FQDN listed above when sending information to Access Worldpay
IP address-based messaging is not supported. Worldpay firewalls reject any direct IP communication that has not routed via a FQDN
Do not make any assumptions about 'redirect' URLs presented by us
We provide all cookies in full and they must be stored in full
DNS and time to live
The Edgekey network we utilize for DNS is made up of thousands of dynamically changing IP addresses. Our DNS entries have a 20-second Time-To-Live (TTL), and you should ensure your TTL is as closely aligned to this as possible. This ensures you can respond to any DNS changes in a timely manner.
Do not hold onto the IP resolved by your DNS lookup for a prolonged period and do not configure a static set of EdgeKey IP addresses. You could experience connection failures when the IP address is taken offline for maintenance.
Server Name Indication
Server Name Indication (SNI) is required on all requests for Access Worldpay. You must ensure your HTTP client library fully supports TLS SNI.
Firewall and IP addresses
Do not whitelist or implement firewall restrictions to any ingress IPs - the ingress IP addresses for the FQDNs are part of a global network. These IPs are subject to change at any time and are routinely taken offline for maintenance.
All traffic must route via an FQDN - we do not support raw access to our services by IP address. Worldpay firewalls block any requests it receives of this type.
Use DNS to obtain an active and available IP address. Do not create static DNS or 'hosts' files within your environment.
Do not whitelist the Access Worldpay outbound IP addresses - The outbound IP addresses, Access Worldpay pushes content from, are currently limited to a range of IPs. The IPs are subject to future change.
Web Application Firewall
Access Worldpay is protected by a Web Application Firewall (WAF). Our WAF inspects the HTTP payload and detects potentially malicious activity.
We recommend only sending API data relevant to the payment message.
Ciphers
Ensure your platform is configured with a set of current and secure ciphers. You must update them regularly to ensure you communicate securely with our Access APIs.
We accept and support:
| TLS version | OpenSSL Cipher Name | IANA Cipher Name | IANA Cipher Suite ID |
|---|---|---|---|
| 1.3 | TLS_AES_256_GCM_SHA384 | TLS_AES_256_GCM_SHA384 | 0x13,0x02 |
| 1.3 | TLS_CHACHA20_POLY1305_SHA256 | TLS_CHACHA20_POLY1305_SHA256 | 0x13,0x03 |
| 1.3 | TLS_AES_128_GCM_SHA256 | TLS_AES_128_GCM_SHA256 | 0x13,0x01 |
| 1.2 | ECDHE-RSA-AES256-GCM-SHA384 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | 0xC0,0x30 |
| 1.2 | ECDHE-RSA-AES128-GCM-SHA256 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | 0xC0,0x2F |
| 1.2 | ECDHE-RSA-CHACHA20-POLY1305 | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | 0xCC,0xA8 |
We regularly remove support for older weaker cipher sets. Using ciphers not in our supported list, might mean you can't connect when we remove older cipher sets.
Certificate handling
All Access Worldpay services use HTTPS and provide an Certificate issued by Sectigo when you connect. This certificate allows the connecting client (typically yours) to authenticate that the service you are talking to is owned by us.
You must have the following Sectigo root certificate in your environment (commonly included by default).
Ensure that you perform validation based on root certificates alone.
You should not trust intermediate certificates directly because they can change at any time. Trusting the root alone is sufficient.
Do NOT 'pin' SSL certificates. We regularly renew and update certificates during standard maintenance practices. If you 'pin' Worldpay SSL certificates your integration will break every time we update our certificates.
Appropriate checks
The following lists the appropriate checks you MUST make on the certificate provided by the service.
Most TLS libraries in modern languages complete these checks automatically, unless configured not to. Sometimes these checks are disabled for development and testing purposes, however they should never be disabled on your production system.
Certificate subject matches hostname
The service must return a certificate with the domain name, the client is trying to connect to, in the subject alternative name (subjectAltName) field. The value type for this field must be DNS as this indicates a fully-qualified domain.
For example:
To connect to Access Worldpay: The field subject alternative name or subjectAltName with value type DNS, must be https://access.worldpay.com
Certificates may have multiple subject alternative names. Only one of them must match the domain name the client is trying to connect to.
Certificate expiry dates
A certificate contains a notBefore and notAfter field that defines the dates outside of which the certificate is invalid. Therefore, only dates inside this window are valid.
The time of your systems must be synchronized with Internet time servers. This ensures the valid time window of the certificate is matching your expectation of certificate expiry.
Certificate chain validity
The client should verify each signature on the certificate chain and ensure that the certificate adheres to the policies defined by the certificate authority. All good implementations of TLS are doing this automatically. Please refer to the documentation of your library/framework for more information.
Every client has a list of trusted roots/trust anchors that are usually built into the operating system, browser or application framework. These are certificates from well-known companies such as DigiCert, Comodo, Microsoft, etc.
Access Worldpay certificates are currently signed by Sectigo. The root certificate is therefore most likely already in the client software's runtime.
Inappropriate checks
The following are checks that the client should NOT complete because the below values are NOT constant.
The following list is not exhaustive.
Certificate DN
You must not cache or store the certificate's "Distinguished Name (DN)" and check this against a provided certificate.
The DN for our certificate currently looks like this: C=GB, L=London, O=WorldPay (UK) Ltd, OU=GW2.0, CN=access.worldpay.com
We MAY change this DN, when we refresh our certificates.
Certificate fingerprint/thumbprint
You must not cache or store the certificate's fingerprint and check this against a provided certificate.
The fingerprint is unique to a certificate because it's calculated by taking all properties of the certificate and generating a single number based on those values.
The certificate fingerprint WILL change, when we renew our certificate annually.
Public key
You must not cache or store the public key and check this against a provided certificate.
While not mandatory, we change our public key as part of the renewal as it's a security best practice.
We WILL change the public key, when we renew our certificates. Renewals happen at least 7 days before expiry.