If you believe GOV.UK Pay security has been breached, contact us immediately at email@example.com. If you are a live user and the suspected breach is severe, consider using the urgent contact details provided to your service manager.
Please do not disclose the suspected breach publicly until it has been fixed.
Securing your developer keys
GOV.UK Pay allows you to create as many API keys as you want.
We recommend allowing all your developers experiment with their own test keys in the test environment, but keys for real integrations should only be shared with the minimum number of people necessary.
This is because these keys can be used to create and manipulate payments. Do not commit these keys to public source code repositories.
Follow these steps to revoke your API key immediately if you believe it has been accidentally shared or compromised:
Sign in to the GOV.UK Pay admin tool.
Select the correct accounts in the My services section.
Select API keys.
Revoke all compromised API keys.
To further secure your live developer keys:
periodically rotate the keys that are used for live payments
you should consider rotating keys that are used for live payments after staff members leave that had access to those keys
avoid embedding your developer keys in any of your code - this only increases the risk that they will be discovered (instead store your keys inside your configuration files)
avoid storing your API keys in your application source tree (even when you’re not making your source code publicly available)
revoke your developer keys when they’re no longer required (this limits the number of entry points into your account)
have a leavers’ process, so that a developer’s API key is revoked when they leave
Securing your integration with GOV.UK Pay
Make sure you’ve fully tested your integration with GOV.UK Pay. When doing so, take care not to use any real card numbers. Read more about testing.
Securing your users’ information
GOV.UK Pay does not store full card numbers or CVV data for security reasons. This means you will not be able to search for transactions using card numbers. You can, however, search for the first six digits and the last four digits of a card.
Preventing fraudulent payments
If you think you’re receiving fraudulent payments, you can:
- block users from paying with prepaid cards
- delay capture of payments if you need time to do your own anti-fraud checks
- check your payment service provider’s (PSP’s) security settings, or contact us if your PSP is Stripe
You can also set up your account to make risk management fraud checks if your PSP is Worldpay
If you make risk management fraud checks, you must contact us and ask us to send your user’s IP address to your PSP during each payment, or your payments may stop working.
Cloud security principles
GOV.UK Pay has implemented the Cloud Security Principles. Read the National Cyber Security Centre guidance on implementing the Cloud Security Principles for more information.
Payment Card Industry (PCI) compliance
Anyone involved with the processing, transmission, or storage of cardholder data must comply with the Payment Card Industry Data Security Standards (PCI DSS).
GOV.UK Pay is certified as fully compliant as a Level 1 Service Provider with PCI DSS version 3.2.1. All GOV.UK Pay partners must be compliant with PCI DSS, and must validate their compliance annually.
Use your Merchant ID to report PCI DSS compliance
A merchant ID is a unique number that identifies you to your payment processor and acquiring bank. The recommended approach is to report PCI DSS compliance by MID by:
agreeing with your acquiring bank to allocate an unique MID for each separate payment channel you have in place
reporting your PCI DSS compliance status for each of these unique MIDs to your acquiring bank
If you have one MID that encompasses multiple payment channels, the compliance requirements will be more complex for that MID. You should check the PCI DSS for more information.
Determine your PCI DSS compliance requirements
Your requirements depend on the number of transactions that you process as a merchant per scheme (Visa, MasterCard) per year.
For example, if you process 4 million transactions with Visa and 3 million with MasterCard, the “Fewer than 6 million transactions per year” category still applies despite the fact that the total number of transactions is larger than 6 million.
Confirm your merchant level with your acquiring bank.
Assessing your compliance requirements
Process fewer than 6 million transactions per year
If you process fewer than 6 million transactions per scheme per year, you may be able to self-assess by completing one of the PCI DSS Self-Assessment Questionnaires (SAQs). This is a self-assessment tool to assess security for cardholder data.
For most services using GOV.UK Pay, SAQ A should apply. If your service uses MOTO payments, you may need to choose a different SAQ.
To make sure you complete the appropriate SAQ, follow the decision tree on the final page of the PCI SAQ guidance.
Process more than 6 million transactions per year
If you process more than 6 million transactions per scheme per year, you will need to undertake a formal on-site security assessment by a PCI DSS Qualified Security Assessor (QSA).
It may be possible to be assessed against only the SAQ A requirements but this should be discussed with your own PCI DSS compliance team and your acquiring bank.
More information on this can be found at the PCI Security Standards Council website.
Your service manager may also be asked to supply extra evidence on your internal security protocols, and you may have to undertake security awareness training to ensure you are qualified to handle credit card data.
GOV.UK Pay follows government HTTPS security guidelines. The Hypertext Transfer Protocol Secure (HTTPS), which involves the Transport Layer Security (TLS) protocol is used by the platform to authenticate servers / clients and to provide secure connections.
You must use HTTPS for all direct communication between your service and GOV.UK Pay.
Return URLs for live services using GOV.UK Pay must use HTTPS, but you can use HTTP for return URLs with test accounts.