Security best practices

This document describes our secure ciphers, qualified domain names and appropriate certificate checks you should complete to ensure the services are authentic.

Domain Names

See below our Access Worldpay endpoints/Fully Qualified Domain Names (FQDN):

Test domain

Production domain


  • Ensure you only use the FQDN listed above when sending information to Access Worldpay

  • IP address-based messaging is not supported. Worldpay firewalls reject any direct IP communication that has not routed via a FQDN

  • Do not make any assumptions about 'redirect' URLs presented by us

  • We provide all cookies in full and they must be stored in full

DNS and time to live

The Edgekey network we utilize for DNS is made up of thousands of dynamically changing IP addresses. Our DNS entries have a 20-second Time-To-Live (TTL), and you should ensure your TTL is as closely aligned to this as possible. This ensures you can respond to any DNS changes in a timely manner.


Do not hold onto the IP resolved by your DNS lookup for a prolonged period and do not configure a static set of EdgeKey IP addresses. You could experience connection failures when the IP address is taken offline for maintenance.

Server Name Indication

Server Name Indication (SNI) is required on all requests for Access Worldpay. You must ensure your HTTP client library fully supports TLS SNI.

Firewall and IP addresses

  • Do not whitelist or implement firewall restrictions to any ingress IPs - the ingress IP addresses for the FQDNs are part of a global network. These IPs are subject to change at any time and are routinely taken offline for maintenance.

  • All traffic must route via an FQDN - we do not support raw access to our services by IP address. Worldpay firewalls block any requests it receives of this type.

  • Use DNS to obtain an active and available IP address. Do not create static DNS or 'hosts' files within your environment.

  • Do not whitelist the Access Worldpay outbound IP addresses - The outbound IP addresses, Access Worldpay pushes content from, are currently limited to a range of IPs. The IPs are subject to future change.

Web Application Firewall

Access Worldpay is protected by a Web Application Firewall (WAF). Our WAF inspects the HTTP payload and detects potentially malicious activity.

Best Practice

We recommend only sending API data relevant to the payment message.


Ensure your platform is configured with a set of current and secure ciphers. You must update them regularly to ensure you communicate securely with our Access APIs.

We accept and support:

TLS versionOpenSSL Cipher NameIANA Cipher NameIANA Cipher Suite ID

We regularly remove support for older weaker cipher sets. Using ciphers not in our supported list, might mean you can't connect when we remove older cipher sets.

Certificate handling

All Access Worldpay services use HTTPS and provide an Certificate issued by Sectigo when you connect. This certificate allows the connecting client (typically yours) to authenticate that the service you are talking to is owned by us.

You must have the following Sectigo root certificate in your environment (commonly included by default).

Ensure that you perform validation based on root certificates alone.

You should not trust intermediate certificates directly because they can change at any time. Trusting the root alone is sufficient.


Do NOT 'pin' SSL certificates. We regularly renew and update certificates during standard maintenance practices. If you 'pin' Worldpay SSL certificates your integration will break every time we update our certificates.

Appropriate checks

The following lists the appropriate checks you MUST make on the certificate provided by the service.


Most TLS libraries in modern languages complete these checks automatically, unless configured not to. Sometimes these checks are disabled for development and testing purposes, however they should never be disabled on your production system.

Certificate subject matches hostname

The service must return a certificate with the domain name, the client is trying to connect to, in the subject alternative name (subjectAltName) field. The value type for this field must be DNS as this indicates a fully-qualified domain.

For example:

To connect to Access Worldpay: The field subject alternative name or subjectAltName with value type DNS, must be


Certificates may have multiple subject alternative names. Only one of them must match the domain name the client is trying to connect to.

Certificate expiry dates

A certificate contains a notBefore and notAfter field that defines the dates outside of which the certificate is invalid. Therefore, only dates inside this window are valid.


The time of your systems must be synchronized with Internet time servers. This ensures the valid time window of the certificate is matching your expectation of certificate expiry.

Certificate chain validity

The client should verify each signature on the certificate chain and ensure that the certificate adheres to the policies defined by the certificate authority. All good implementations of TLS are doing this automatically. Please refer to the documentation of your library/framework for more information.

Every client has a list of trusted roots/trust anchors that are usually built into the operating system, browser or application framework. These are certificates from well-known companies such as DigiCert, Comodo, Microsoft, etc.

Access Worldpay certificates are currently signed by Sectigo. The root certificate is therefore most likely already in the client software's runtime.

Inappropriate checks

The following are checks that the client should NOT complete because the below values are NOT constant.


The following list is not exhaustive.

Certificate DN

You must not cache or store the certificate's "Distinguished Name (DN)" and check this against a provided certificate.

The DN for our certificate currently looks like this: C=GB, L=London, O=WorldPay (UK) Ltd, OU=GW2.0,


We MAY change this DN, when we refresh our certificates.

Certificate fingerprint/thumbprint

You must not cache or store the certificate's fingerprint and check this against a provided certificate.

The fingerprint is unique to a certificate because it's calculated by taking all properties of the certificate and generating a single number based on those values.


The certificate fingerprint WILL change, when we renew our certificate annually.

Public key

You must not cache or store the public key and check this against a provided certificate.

While not mandatory, we change our public key as part of the renewal as it's a security best practice.


We WILL change the public key, when we renew our certificates. Renewals happen at least 7 days before expiry.