Does the Westpac Payway API require you to have a SSL

Discussion in 'Programming & Software Development' started by OPM881, Nov 3, 2010.

  1. OPM881

    OPM881 Member

    Joined:
    Apr 21, 2009
    Messages:
    1,652
    Location:
    Cairns
    Im setting up an online booking system for a charter flight company, and they wanted to handle online payment. They are with westpac so I did some searching and found westpac has its own online pay system called Payway which allows for purchases online. Now when I read the information that I could find, it appeared that I wouldnt need to worry about setting up a https page and a SSL cert as all the credit card details would be handled via their website, and all I would have to send would be the cost information. The more I read the API documentation, I am starting to think that this isnt the case at all, and that I will still need to set up a SSL cert and all that. I am still waiting for the approval for use of the Payway system to be set up for the company, so I cant actually get into the API and do any testing and such, so I thought I would ask on here to see if anyone had any experience with it so that I would know if I need to start figuring out how to handle it using a SSL cert.

    TL;DR> Do I need to have a HTTPS page on a website to use the Westpac Payway system and API or do I not need to worry about that.
     
  2. Oppressa

    Oppressa Member

    Joined:
    Jun 5, 2004
    Messages:
    5,573
    Location:
    Sydney
    No you don't. We are implementing this and we asked:

    SSL encryption – do we require this on our site domain or is it only required between the user and Westpac –ie on your side?


    To clarify, we're going to have a page with a link that allows our clients to be launched into Payway so it's not like they're entering any info in on our site. They enter their client number and credit card details directly onto the Payway site.

    EDIT: So maybe your situation is different if your clients are entering info on your site.
     
    Last edited: Nov 3, 2010
  3. OP
    OP
    OPM881

    OPM881 Member

    Joined:
    Apr 21, 2009
    Messages:
    1,652
    Location:
    Cairns
    The only info they would be entering on our site is booking info, not their CC details. Im reading the Payway API Developers Guide pdf that is on their website, and it says "All transaction data will be communicated via HTTPS with 128-bit encryption and each message digitally signed(MAC). A digital certificate is provided to each customer for this purpose." so thats why I am slightly confused.

    So as long as I am just sending the cost to the customer and such and NOT the CC details, I shouldnt need an SSL.

     
  4. Oppressa

    Oppressa Member

    Joined:
    Jun 5, 2004
    Messages:
    5,573
    Location:
    Sydney
    Surely you have a contact at Westpac? PMing you the person who is helping us.
     
  5. tr3nton

    tr3nton Member

    Joined:
    Oct 14, 2009
    Messages:
    1,281
    are the fee's pretty hefty with a banks payment gateway? i.e. as opposed to say paypal
     
  6. Osiris

    Osiris Member

    Joined:
    Aug 22, 2001
    Messages:
    3,724
    AFAIK:
    Technically, no you wouldn't because it's your server that is connecting to their service via the API (that's the part that requires SSL).

    Legally, I have no idea whether your contract stipulates that all CC details need to be transferred over a secure connection or not.
     
  7. OP
    OP
    OPM881

    OPM881 Member

    Joined:
    Apr 21, 2009
    Messages:
    1,652
    Location:
    Cairns
    They didnt want to use paypal, which I fully understand.

    The impression that I always got from their website when it talked about it was that it would be their website/payment gateway that would be handling the CC details and such, and it would just be my job to send the amount to be payed to their website. Then again, this could be wrong. I need to wait to actually gain access to the payway website so I can have a better look.
     
  8. DavoRulz

    DavoRulz (Banned or Deleted)

    Joined:
    Jul 18, 2003
    Messages:
    3,962
    Location:
    Your House
    Our St George merchant banking rates are cheaper than the cheapest tier of PayPal.
     
  9. anthonyberry

    anthonyberry Member

    Joined:
    Mar 21, 2009
    Messages:
    51
    That is correct. However it is bit of an average customer experience getting handed off to another site to complete a payment.
     
  10. iftwb

    iftwb Member

    Joined:
    Nov 6, 2009
    Messages:
    282
    Location:
    Sydney
    How so? Interested.
     
  11. OP
    OP
    OPM881

    OPM881 Member

    Joined:
    Apr 21, 2009
    Messages:
    1,652
    Location:
    Cairns
    How so? I have seen many businesses do this, and the website is only for a small business. If I had the skills to be able to make sure it is 110% secure myself I would, but I lack the experience to do so.
     
  12. teegman

    teegman Member

    Joined:
    Feb 13, 2006
    Messages:
    94
    Location:
    Adelaide
    Our non-completes are very low, flowing through a hosted payment page. I'd say that consumers are, if anything, more trusting of a brand name handling their credit card details than a small online shop. The case for becoming PCI-DSS compliant for small businesses would also be marginal, until there is strong cash flow and a compelling business case for closer management of the payment process.
     

Share This Page

Advertisement: