Note: This FAQ is aimed toward developers and server directors. For a service provider focused FAQ, please visit 1 Will Authorize. Net switch all API endpoints to Akamai SureRoute?We are no longer making plans on switching all API endpoints to Akamai SureRoute. We won’t require merchants to switch to Akamai as previously announced.
We still recommend that merchants use the Akamai SureRoute endpoints, listed below, to reduce network disruptions external of Authorize. Net’s handle. 2 Which API endpoints use Akamai SureRoute?Currently, these API endpoints use Akamai SureRoute: Production:ervice. asmxSandbox: ervice. asmxAll other API endpoints, do not use Akamai SureRoute.
3 Are there firewall considerations to remember?Akamai SureRoute depends on an ever changing and ever growing to be list of IP addresses, to such a level that ordinary, IP address based firewall rules aren’t feasible. According to PCI DSS 3. 1, Requirement 1. 2. 1 states: “Restrict inbound and outbound site visitors to that which is essential for the cardholder data atmosphere, and specifically deny all other site visitors. ” While some interpret this to intend vacation spot IP addresses must be whitelisted, most Qualified Security Assessors QSAs put forward quite a few controls that don’t require express vacation spot IP addresses.
Sufficient controls under Requirement 1. 2. 1 come with: Whitelisting Authorize. Net domains in the internet server tier;Proxies behind the firewall which whitelist Authorize. Net domain names;Third generation firewalls, combined with the above, atmosphere outbound traffic to “ANY”;Fourth technology firewalls which whitelist Authorize. Net domain names.
These can be utilized together with a community Demilitarized Zone DMZ to insulate your infrastructure from the better Internet. As a reminder, a DMZ is required by PCI DSS if you handle fee data for your construction atmosphere, and is a security best practice if you handle sensitive data of any sort. For more details please read the document, “PCI Card Production – Logical Security Requirements. ” Please also contact your answer carrier or developer to verify even if the DMZ requirement applies to your situation. 4 Are Authorize. Net domain certificates different on Akamai SureRoute?All of our API endpoints use EnTrust SHA 256, 2048 bit certificate, and will likely proceed to do so for the near future.
5 When I try one of the most API endpoints on Akamai SureRoute, I get an HTTP 403 Forbidden error. Akamai SureRoute actively filters their network for possible threats. While nearly all of site visitors shouldn’t be impacted by these filters, there are possible cases where an API call may bring about a 403 Forbidden error. You can determine that these errors are attributable to Akamai if it includes the header, “Server: Akamai GHost,” in the HTTP reaction. Should this happen, please capture the HTTP headers and body you sent and received.
In particular, there can be a Reference listed in the response body, but full HTTP headers are useful for making a choice on the time and prerequisites of the connection. Once you have captured the HTTP data, mask any delicate particulars such as Transaction Keys, card numbers, check routing/account numbers, and CVV2. Then deliver the HTTP data to the Authorize. Net branch as follows for extra troubleshooting: Sandbox Support – Please use the Developer Community Contact Us page to report the issue and share the HTTP data you obtained, Production Support – Please log into the Merchant Interface and click “Contact Us” to create an eTicket, and share the HTTP data you received. We recommend inserting the HTTP data in a doc and attaching it to the eTicket.
To ensure your data is dealt with sensitively, we can only accept the HTTP data via eTicket at this time.
