Secure endpoint integration

Using TLS and HTTPS

TLS refers to the process of securely transmitting data between the client—the app or browser that their customer is using—and their server. This was originally performed using the SSL (Secure Sockets Layer) protocol. However, this is outdated and no longer secure and has been replaced by TLS. The term “SSL” continues to be used colloquially when referring to TLS and its function to protect transmitted data.

Payment pages must make use of a modern version of TLS (e.g., TLS 1.2) as it significantly reduces the risk of consumers or their customers being exposed to a man-in-the-middle attack. TLS attempts to accomplish the following:

Use the default TLS port 443 for your web applications. MatchMove only allows server-side communications through port 443. Encrypt and verify the integrity of traffic between the client and servers Verify that the client is communicating with the correct server. In practice, this usually means verifying that the owner of the domain and the owner of the server are the same entity. This helps prevent man-in-the-middle attacks. Without it, there’s no guarantee that they are encrypting traffic to the right recipient. Additionally, customers are more comfortable sharing sensitive information on pages visibly served over HTTPS, which can help increase their customer conversion rate.

If need be, consumers can test their integration without using HTTPS and enable it once they are ready to accept live charges. However, all interactions between their server and MatchMove must use TLS 1.2 (i.e., when using our libraries).

Setting up TLS

Serving resources securely, MatchMove consumers should make sure that any resources (JavaScript, CSS, images, etc.) are also served over TLS to avoid a mixed content warning being shown to their customers in their browser.

A digital certificate—a file issued by a certification authority (CA)—is needed to use TLS. When installed, this certificate assures the client that it’s communicating with the server it expects to be talking to, not an impostor. They should get a digital certificate from a reputable certificate provider, such as:

• Let’s Encrypt
• DigiCert
• NameCheap

Certificates can vary in cost, depending on the type of certificate and provider. Let’s Encrypt is a certificate authority that provides certificates for free.

Conceptually, setting up TLS is very straightforward: a certificate is purchased from a suitable provider, and then their server is configured to use it. The actual process does tend to be somewhat complex, and we recommend they follow the installation guide of the provider they use.

As TLS is a complex suite of cryptographic tools, it’s easy to miss a few details. We recommend using the SSL Server Test by Qualys SSL Labs to make sure they have everything set up securely.

Additional security considerations

Including JavaScript from other websites can pose a security risk because consumers' security becomes dependent on it. If they are ever compromised, an attacker may be able to run arbitrary code on their website. In practice, many websites use JavaScript for services such as Google Analytics, even on secure pages. Nonetheless, it is something consumers should be aware of and, ideally, minimize.

If consumers use webhooks, we recommend using TLS for the endpoint to avoid traffic interception and notification changes.

Compliance with the Data Security Standards is important, but it should not be the end of their security considerations. Here are some good resources for learning about web security:

• OWASP
• SANS
• NIST

Storage of non-sensitive card data

MatchMove returns non-sensitive card information in response to various API calls. This includes the card type, the card's last four digits, and its expiration date. This information is not subject to PCI compliance, so customers can store any of these properties in their database. They can also store anything returned by our API that is not related to the card objects.