-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #949 from alphagov/Jonathan-Scott14-patch-1
Update index.html.md.erb
- Loading branch information
Showing
1 changed file
with
13 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| --- | ||
| title: Security | ||
| last_reviewed_on: 2023-06-22 | ||
| last_reviewed_on: 2024-01-31 | ||
| review_in: 6 months | ||
| weight: 9200 | ||
| --- | ||
|
|
@@ -11,7 +11,7 @@ weight: 9200 | |
|
|
||
| If you believe GOV.UK Pay security has been breached, contact us immediately at [[email protected]](mailto:[email protected]). If you are a live user and the suspected breach is severe, consider using the urgent contact details provided to your service manager. | ||
|
|
||
| Please do not disclose the suspected breach publicly until it has been fixed. | ||
| Do not disclose the details of a suspected breach publicly until it has been fixed. GOV.UK Pay can work with you on any communication and reporting needs. | ||
|
|
||
| ## Securing your developer keys | ||
|
|
||
|
|
@@ -22,7 +22,7 @@ the test environment, but keys for real integrations should only be shared | |
| with the minimum number of people necessary. | ||
|
|
||
| This is because these keys can be | ||
| used to create and manipulate payments. Do not commit these keys to public | ||
| used to create and manipulate payments. You must not commit these keys to public | ||
| source code repositories. | ||
|
|
||
| Follow these steps to revoke your API key immediately if you believe it has been accidentally shared or compromised: | ||
|
|
@@ -51,6 +51,8 @@ To further secure your live developer keys: | |
|
|
||
| * have a leavers’ process, so that a developer’s API key is revoked when they leave | ||
|
|
||
| We're investigating ways to make sure that publicly exposed keys are revoked quickly. | ||
|
|
||
| ## Securing your integration with GOV.UK Pay | ||
|
|
||
| Make sure you’ve fully tested your integration with GOV.UK Pay. When doing so, | ||
|
|
@@ -86,6 +88,10 @@ GOV.UK Pay is certified as fully compliant as a Level 1 Service Provider with | |
| PCI DSS version 3.2.1. All GOV.UK Pay partners must be compliant with PCI DSS, | ||
| and must validate their compliance annually. | ||
|
|
||
| A Qualified Security Assessor will audit GOV.UK Pay against PCI DSS v4.0 in summer 2024. After this audit, we'll update all relevant PCI DSS documentation. | ||
|
|
||
| You may be asked to provide certain information from GOV.UK Pay as part of your own PCI DSS compliance process. Some of this information may not be available until we've completed our PCI DSS v4.0 transition work. This should not affect your ability to comply with PCI DSS v4.0 because there is a recognised transition period. | ||
|
|
||
| ### Use your Merchant ID to report PCI DSS compliance | ||
|
|
||
| A merchant ID is a unique number that identifies you to your payment processor | ||
|
|
@@ -127,7 +133,7 @@ cardholder data. | |
| For most services using GOV.UK Pay, SAQ A should apply. If your service uses MOTO payments, you may need to choose a different SAQ. | ||
|
|
||
| To make sure you complete the appropriate SAQ, follow the decision tree on the | ||
| final page of [the PCI SAQ guidance](https://www.pcisecuritystandards.org/documents/SAQ-InstrGuidelines-v3_2.pdf). | ||
| final page of [the PCI SAQ guidance](https://docs-prv.pcisecuritystandards.org/SAQ%20(Assessment)/Instructions%20%26%20Guidance/SAQ-Instructions-Guidelines-PCI-DSS-v4-0.pdf). | ||
|
|
||
| #### Process more than 6 million transactions per year | ||
|
|
||
|
|
@@ -156,7 +162,9 @@ Security (TLS) protocol is used by the platform to authenticate servers / | |
| clients and to provide secure connections. | ||
|
|
||
| You must use HTTPS for all direct communication between your service and | ||
| GOV.UK Pay. | ||
| GOV.UK Pay. | ||
|
|
||
| You must use a current TLS cipher. We recommend TLS 1.3. | ||
|
|
||
| Return URLs for live services using GOV.UK Pay must use HTTPS, but you can use HTTP for return | ||
| URLs with test accounts. | ||