Developers

Security and Availability

The connection between the merchant and myPOS Web Checkout is secured using the HTTPS protocol (SSL over HTTP). All requests and responses are digitally signed. The myPOS host is located in a Tier IV data center in Switzerland, with a BGP-enabled public address available through all major internet providers.

myPOS provides emergency support via email or phone, connecting you directly with certified engineers.

3-D Secure Payment

To make online transactions safer, myPOS supports 3-D Secure payments. All myPOS merchants are automatically enrolled. If a client's card is 3D Secure, the client is redirected to their issuing bank's 3D Secure portal for authentication. 3D Secure is mandatory and cannot be opted out of.

Depending on the card scheme and issuing bank, customers may see an additional authentication step during checkout. For example, VISA customers will see the bank's 3D Secure page.

Important Security Requirements

All API requests must use HTTPS. The User-Agent HTTP request header is required by myPOS Checkout API. This header helps verify and log the client program. If the User-Agent is missing, the API will return an error page stating:

“The Checkout has sent myPOS a shopping cart with errors in it. We will contact the Merchant with a request to fix this problem. As this could be a temporary issue, you can go back to try checking out again.”

Sending the User-Agent is a key security rule. Not sending it may expose your integration to errors and potential security risks.

Security Restrictions

Enable/Disable Payments

By default, online payment processing for any merchant’s Checkout is disabled. To enable the store, the merchant must complete the integration process. Once integrated, the Checkout status becomes “Enabled” and payments can be accepted. Merchants can enable or disable this functionality at any time.

Request URLs

To further increase security, merchants must specify at least one URL from which requests to the myPOS Checkout API will be made. Requests from any other URLs will be denied. New URLs can be added, but must be reviewed and approved first.

Signature and Public/Private Key Pairs

Every message includes a digital signature. Both myPOS Checkout API and the merchant generate public/private key pairs and exchange public certificates (PEM-encoded PKCS7 files). Each party uses their private key to sign messages, and the other party authenticates the sender using the public certificate.

myPOS provides a unique public certificate for each merchant Checkout. A key index is assigned to each certificate, and certificates are available for download in the Checkout / Integration menu.