Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update index.html.md.erb #949

Merged
merged 6 commits into from
Feb 5, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 13 additions & 5 deletions source/security/index.html.md.erb
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
title: Security
last_reviewed_on: 2023-06-22
last_reviewed_on: 2024-01-31
review_in: 6 months
weight: 9200
---
Expand All @@ -11,7 +11,7 @@ weight: 9200

If you believe GOV.UK Pay security has been breached, contact us immediately at [[email protected]](mailto:[email protected]). If you are a live user and the suspected breach is severe, consider using the urgent contact details provided to your service manager.

Please do not disclose the suspected breach publicly until it has been fixed.
Do not disclose the details of a suspected breach publicly until it has been fixed. GOV.UK Pay can work with you on any communication and reporting needs.

## Securing your developer keys

Expand All @@ -22,7 +22,7 @@ the test environment, but keys for real integrations should only be shared
with the minimum number of people necessary.

This is because these keys can be
used to create and manipulate payments. Do not commit these keys to public
used to create and manipulate payments. You must not commit these keys to public
source code repositories.

Follow these steps to revoke your API key immediately if you believe it has been accidentally shared or compromised:
Expand Down Expand Up @@ -51,6 +51,8 @@ To further secure your live developer keys:

* have a leavers’ process, so that a developer’s API key is revoked when they leave

We're investigating ways to make sure that publicly exposed keys are revoked quickly.

## Securing your integration with GOV.UK Pay

Make sure you’ve fully tested your integration with GOV.UK Pay. When doing so,
Expand Down Expand Up @@ -86,6 +88,10 @@ GOV.UK Pay is certified as fully compliant as a Level 1 Service Provider with
PCI DSS version 3.2.1. All GOV.UK Pay partners must be compliant with PCI DSS,
and must validate their compliance annually.

A Qualified Security Assessor will audit GOV.UK Pay against PCI DSS v4.0 in summer 2024. After this audit, we'll update all relevant PCI DSS documentation.

You may be asked to provide certain information from GOV.UK Pay as part of your own PCI DSS compliance process. Some of this information may not be available until we've completed our PCI DSS v4.0 transition work. This should not affect your ability to comply with PCI DSS v4.0 because there is a recognised transition period.

### Use your Merchant ID to report PCI DSS compliance

A merchant ID is a unique number that identifies you to your payment processor
Expand Down Expand Up @@ -127,7 +133,7 @@ cardholder data.
For most services using GOV.UK Pay, SAQ A should apply. If your service uses MOTO payments, you may need to choose a different SAQ.

To make sure you complete the appropriate SAQ, follow the decision tree on the
final page of [the PCI SAQ guidance](https://www.pcisecuritystandards.org/documents/SAQ-InstrGuidelines-v3_2.pdf).
final page of [the PCI SAQ guidance](https://docs-prv.pcisecuritystandards.org/SAQ%20(Assessment)/Instructions%20%26%20Guidance/SAQ-Instructions-Guidelines-PCI-DSS-v4-0.pdf).

#### Process more than 6 million transactions per year

Expand Down Expand Up @@ -156,7 +162,9 @@ Security (TLS) protocol is used by the platform to authenticate servers /
clients and to provide secure connections.

You must use HTTPS for all direct communication between your service and
GOV.UK Pay.
GOV.UK Pay.

You must use a current TLS cipher. We recommend TLS 1.3.

Return URLs for live services using GOV.UK Pay must use HTTPS, but you can use HTTP for return
URLs with test accounts.
Loading