Security

Reporting vulnerabilities

If you believe GOV.UK Pay security has been breached, contact us immediately at govuk-pay-support@digital.cabinet-office.gov.uk. If you are a live user and the suspected breach is severe, consider using the urgent contact details provided to your service manager.

Do not disclose the details of a suspected breach publicly until it has been fixed. GOV.UK Pay can work with you on any communication and reporting needs.

Securing your developer keys

GOV.UK Pay lets you create as many API keys as you want.

We recommend letting all your developers experiment with their own test keys in the test environment, but keys for real integrations should only be shared with the minimum number of people necessary.

This is because these keys can be used to create and manipulate payments. You must not commit these keys to public source code repositories.

Follow these steps to revoke your API key immediately if you believe it has been accidentally shared or compromised:

1. Sign in to the GOV.UK Pay admin tool.

2. Select the correct accounts in the My services section.

3. Select API keys.

4. Revoke all compromised API keys.

Warning If you believe your key has been used to make fraudulent payments, contact the GOV.UK support team using the urgent contact methods provided to your service manager.

To further secure your live developer keys:

• periodically rotate the keys that are used for live payments

• you should consider rotating keys that are used for live payments after staff members leave that had access to those keys

• avoid embedding your developer keys in any of your code - this only increases the risk that they will be discovered (instead store your keys inside your configuration files)

• avoid storing your API keys in your application source tree (even when you’re not making your source code publicly available)

• revoke your developer keys when they’re no longer needed (this limits the number of entry points into your account)

• have a leavers’ process, so that a developer’s API key is revoked when they leave

We’re investigating ways to make sure that publicly exposed keys are revoked quickly.

Securing your integration with GOV.UK Pay

Make sure you’ve fully tested your integration with GOV.UK Pay. When doing so, take care not to use any real card numbers. Read more about testing.

Securing your users’ information

GOV.UK Pay does not store full card numbers or CVV data for security reasons. This means you will not be able to search for transactions using card numbers. You can, however, search for the first six digits and the last four digits of a card.

Preventing fraudulent payments

If you think you’re receiving fraudulent payments, you can:

• block users from paying with prepaid cards
• delay capture of payments if you need time to do your own anti-fraud checks
• check your payment service provider’s (PSP’s) security settings, or contact us if your PSP is Stripe

You can also set up your account to make risk management fraud checks if your PSP is Worldpay

If you make risk management fraud checks, you must contact us and ask us to send your user’s IP address to your PSP during each payment, or your payments may stop working.

Cloud security principles

GOV.UK Pay has implemented the Cloud Security Principles. Read the National Cyber Security Centre guidance on implementing the Cloud Security Principles for more information.

Payment Card Industry (PCI) compliance

Anyone involved with the processing, transmission, or storage of cardholder data must comply with the Payment Card Industry Data Security Standards (PCI DSS).

GOV.UK Pay is certified as fully compliant as a Level 1 Service Provider with PCI DSS version 3.2.1. All GOV.UK Pay partners must be compliant with PCI DSS, and must validate their compliance annually.

A Qualified Security Assessor will audit GOV.UK Pay against PCI DSS v4.0 in summer 2024. After this audit, we’ll update all relevant PCI DSS documentation.

You may be asked to provide certain information from GOV.UK Pay as part of your own PCI DSS compliance process. Some of this information may not be available until we’ve completed our PCI DSS v4.0 transition work. This should not affect your ability to comply with PCI DSS v4.0 because there is a recognised transition period.

Use your Merchant ID to report PCI DSS compliance

A merchant ID is a unique number that identifies you to your payment processor and acquiring bank. The recommended approach is to report PCI DSS compliance by MID by:

• agreeing with your acquiring bank to allocate an unique MID for each separate payment channel you have in place

• reporting your PCI DSS compliance status for each of these unique MIDs to your acquiring bank

If you have one MID that encompasses multiple payment channels, the compliance requirements will be more complex for that MID. You should check the PCI DSS for more information.

Determine your PCI DSS compliance requirements

Your requirements depend on the number of transactions that you process as a merchant per scheme (Visa, MasterCard) per year.

For example, if you process 4 million transactions with Visa and 3 million with MasterCard, the ’Fewer than 6 million transactions per year’ category still applies despite the fact that the total number of transactions is larger than 6 million.

Confirm your merchant level with your acquiring bank.

Assessing your compliance requirements

Process fewer than 6 million transactions per year

If you process fewer than 6 million transactions per scheme per year, you may be able to self-assess by completing one of the PCI DSS Self-Assessment Questionnaires (SAQs). This is a self-assessment tool to assess security for cardholder data.

For most services using GOV.UK Pay, SAQ A should apply. If your service uses MOTO payments, you may need to choose a different SAQ.

To make sure you complete the appropriate SAQ, follow the decision tree on the final page of the PCI SAQ guidance.

Process more than 6 million transactions per year

If you process more than 6 million transactions per scheme per year, you will need to complete a formal on-site security assessment by a PCI DSS Qualified Security Assessor (QSA).

It may be possible to be assessed against only the SAQ A requirements but this should be discussed with your own PCI DSS compliance team and your acquiring bank.

More information on this can be found at the PCI Security Standards Council website.

Your service manager may also be asked to supply extra evidence on your internal security protocols, and you may have to complete security awareness training to make sure you are qualified to handle credit card data.

HTTPS

GOV.UK Pay follows government HTTPS security guidelines. The Hypertext Transfer Protocol Secure (HTTPS), which involves the Transport Layer Security (TLS) protocol is used by the platform to authenticate servers / clients and to provide secure connections.

You must use HTTPS for all direct communication between your service and GOV.UK Pay.

You must use a current TLS cipher. We recommend TLS 1.3.

Return URLs for live services using GOV.UK Pay must use HTTPS, but you can use HTTP for return URLs with test accounts.