In addition to the security measures already put in place to ensure the reliability of the system by the FedaPay team, here are some recommendations for you. It is important that you secure your application, platform or system in which you decide to integrate FedaPay.
Transport Layer Security (TLS) refers to the process of secure data transmission between the customer (the application or navigator that your customer uses) and your server. This was originally done using the Secure Sockets Layer (SSL) protocol. However, it is outdated, no longer secure and has been replaced by TLS. The term "SSL" continues to be used familiarly when referring to the TLS protocol and its protection of transmitted data.
Payment pages must use a modern version of TLS (for example, TLS 1.2), because it significantly reduces the risk either you or your customers are exposed to a cyber attack. TLS attempts to accomplish the following:
- Encrypt and verify the integrity of the traffic between the customer and your server;
- Check that the customer is communicating with the right server.
In practice, this usually means that the domain owner and the server owner are the same entity. This allows to avoid cyber attacks. Without this, there is no guarantee that you are encrypting the traffic to the right recipient.
In addition, your customers are more comfortable to share sensitive information on pages obviously broadcast via HTTPS. This can help to increase the conversion rate of your customers. If needed, you can test your integration without using HTTPS, and activate it once you are ready to go into production. However, all interactions between your server and FedaPay must use TLS 1.2 (when using our libraries).
Implementation of TLS / HTTPS
A digital certificate, file issued by a Certificate Authority (CA) is necessary to use TLS. Once installed, this certificate ensures that the customer really communicates with the server with wich he should and not with an impostor. You should opt for a digital certificate from a reputable certificate provider, such as:
Certificates may vary in cost, depending on the type of certificate and the seller. Let's Encrypt is a certification authority that provides certificates for free.
Conceptually, the configuration of TLS is very simple: a certificate is purchased from an appropriate provider, and your server is configured to use. The actual process tends to be somewhat complex and we recommend you to follow the installation guide of the provider you are using.
As TLS is a complex suite of cryptographic tools, it's easy to miss some details. We recommend you to use the SSL Server test from Qualys SSL Labs to make sure that everything is securely configured.