All merchants processing cards in an online environment must meet the minimum standards set by the card issuing companies.
Payment Card Industry (PCI) compliance is built around a set of 12 basic requirements that are designed to make sure merchants keep online processing risks to a minimum. PCI focuses on verifying that merchants securely transmit payment information, restrict access to confidential cardholder data, and establish sound business practices for managing customer orders.
As a PCI Level 1 processor, Bambora completes quarterly network scans and is subject to annual on-site security assessments.
Bambora offers a number of solutions to help simplify PCI compliance and reduce the costs associated with certification:
- Tokenization (Secure Payment Profiles) – This PCI compliant solution works using a process called Tokenization is the latest ecommerce security innovation. Cardholder data is collected and stored in a customer profile in Bambora's secure database. Customer orders are processed by submitting secure tokens rather than requiring purchasers to re-enter card information. Merchants avoid transmitting confidential information and don’t have to retain high risk data on their own network.
- Hosted Solutions – Bambora's hosted payment page and Simple Cart options ensure that all customer data is collected on Bambora's secure web server and transmitted to the card network directly from PCI certified solutions. Merchants don’t have to worry about making their own network configuration meet PCI standards—Bambora covers these requirements for you.
Best practices for security start with your integration. If you implement a custom system instead of one of our hosted solutions, it is strongly recommend that your developer connect to our API using a server-to-server method.
Server-to-server communication opens a separate secure session during the transaction process. As a result, the customer’s browser is not redirected during payment—that means data can’t be intercepted when jumping from one browser to another.
Developers can also use other advanced integration tools to secure the transaction process:
- Authentication – To secure your request, you can send all transaction with encryption keys or pass codes. Bambora supports both MD5 and SHA-1 Hash encryption.
- Price Validation – Ensure purchase totals add up against data stored in Bambora's inventory module.
- Validate Referring Hosts – Prevent transactions from being submitted from unauthorized domains. Store a valid referring URL in our member area and accept transactions from this location only.
- Card Number and IP Address Filters – Block orders from unwanted transaction sources and prevent repeat purchases from problem customers.
- Mandatory CVD/CVV2 Validation – Merchants can make the 3-digit CVD or CVV2 validation code from the back of a customer’s credit card mandatory. Requiring CVD ensures that all customers have the number from the back of their card at the time of purchase—making it harder to fraudulently run skimmed or stolen card numbers.
To learn more about secure connection options, see Process Transaction API.