Driven by convenience, software growth, and merchant demand for streamlined and contactless payment processes; we are seeing an unprecedented increase in the use of digital payments. In order to facilitate the transaction process, digital payments require some sort of payment integration to allow merchants to accept payments directly within the platform or software application they are using. Integrating digital payments is done by using an API (Application Programming Interface), to communicate with a payment terminal and/or payment gateway and the payment processor.
As consumers we take advantage of how simple it is to submit a payment, and as the merchant how easily payments flow. Consider an online transaction: the customer will initiate a payment, their payment information is transmitted to a payment gateway, instantaneously authenticated, and the payment gateway will provide a response which is then returned to the website or application letting the customer know if their transaction was approved or declined. On the surface, it would seem a digital transaction only has two sides, the payer (cardholder) and the payee (merchant), making it easy to overlook the software provider who integrated this bridge between the two.
Software plays an essential role in online payments, and the collection and transmission of sensitive payment data for secure payment processing. Behind the scenes of an online transaction are HTTP payment request APIs or API calls, which are how the point-of-sale software communicates with the payment gateway server and how transactional data is transmitted between the client side (i.e., website) and the server.
POST Method Vs GET Method: Security Vulnerability in Your Payment Gateway Integration
Software developers are always looking for way to improve software design and usability. Developments in payment innovation have impacted how we make and accept payments, but with all their advantages comes a growing concern for security, data breaches and how sensitive data is handled and transmitted. In an effort to improve payment security, card industry compliance, and protect cardholder data, some payment integrations and transaction processing may be impacted.
POST and GET are two types of HTTP requests involved in payment gateway integrations, and used to transmit payment card transaction data. Many software applications used the GET HTTP request method in their payment integrations to communicate with the payment gateway API and post payment requests. Software developers opted for the GET method because it was simpler, faster and improved their application’s performance, only to find that they could no longer remain PCI compliant using the GET method and do not meet data security standards.
Why is the HTTP GET method not PCI compliant? The GET method requests data from the server and the query’s data is included in plain text within the URL, browser history and logs, exposing sensitive cardholder information. The GET method leaves transaction data susceptible to be intercepted by hackers and open to fraud.
In contrast, the HTTP POST method submits the data from the client to the server within the message body. While it requires additional development work, POST requests are never visible within the URL, never cached and do not remain in browser history, keeping sensitive payment information secure.
Support for Developers in Securing Payment Processing
All players within the payment ecosystem have a role to play in securing payment processing. What was once a recommendation for best practices, is now a requirement for eCommerce transactions due to inherent security risks. In 2022, the Converge payment gateway stopped supporting the GET method, which left some point-of-sale applications impacted and requiring software to be updated to use the POST method to communicate with the Converge API. By partnering with Cartis Payments, software vendors can stay ahead of payment security threats and requirements. We offer the right tools, secure payment gateways, fraud detection and prevention, and developer resources to address your questions and secure your application to reduce the risk of fraud; protecting the payer and the payee.