Security – Nuvei Documentation

Web security is an important responsibility that is constantly changing and evolving. We are always keeping up with the latest changes in securing internet communication.

Using TLS 1.2, the most current version of the protocol that encrypts internet traffic of all types, enables secure internet communication, helping you protect your customers and your business.

If you are not already communicating over TLS 1.2, we strongly recommend you to upgrade your operating systems and environments to communicate to Nuvei over TLS 1.2.

TLS 1.2 protocol is mandatory in order to access our Credit Card Payments.

Switching to TLS 1.2 protocol is a change that will sooner or later happen, so switch now to secure – proof your website.

You must use HTTPS (Hyper Text Transfer Protocol Secure) in order to make your website more secure and trustworthy.

HTTPS protocol allows communication between different systems or for transferring data from a web server to a browser to view web pages in a secure and reliable manner.

You need to authenticate to the REST API using HTTP Basic Auth (HTTP Basic access authentication) providing a user name and a password when making a request.

The user name consists of the SiteID and the password consists of the API Key which are generated upon the creation of the Integration site. The SiteID and the API Key separated by ‘:’ sign have to be encoded using Base64 encoding (e.g. https://www.base64encode.org/). Only then, the result can be sent in the Authorization header.

Please make sure the API keys are kept secret and regenerate at once if security has been compromised!

Use the SiteID as the basic auth username with the API Key as the password, separated by ‘:’ sign.

Authorization: Basic {Base64 encoding of 'SiteID:APIkey'}

Meaning:

Authorization: Basic {Base64 encoding of '30201:+9KeGzKF7W8S/79a5R33YJUg7E7WFNcZbjGfzLV3bXSnFCOyFt'}

Resulting:

Authorization: Basic MzAyMDE6KzlLZUd6S0Y3VzhTLzc5YTVSMzNZSlVnN0U3V0ZOY1piakdmekxWM2JYU25GQ095RnQ=

For a better understanding of how it works, take a look at our examples of authentication provided below.

Code sample: Authentication

cURL
PHP

curl -u {PROVIDED_SITE_ID}:{PROVIDED_API_KEY} \
     https://paytest.smart2pay.com/v1/payments/?limit=1

<?php
$api_parameters = array();
$api_parameters['site_id'] = '{PROVIDED_SITE_ID}';
$api_parameters['api_key'] = '{PROVIDED_API_KEY}';
$api_parameters['environment'] = 'test';
$api_parameters['method'] = 'payments';
$api_parameters['func'] = 'payments_list';

$api_parameters['get_variables'] = array(
	'limit' => 1,
);
$api_parameters['method_params'] = array();

$call_params = array();

$finalize_params = array();
$finalize_params['redirect_now'] = false;

if( !($call_result = S2P_SDK\S2P_SDK_Module::quick_call( $api_parameters, $call_params, $finalize_params )) )
{
    echo 'API call error: ';

    if( ($error_arr = S2P_SDK\S2P_SDK_Module::st_get_error())
    and !empty( $error_arr['display_error'] ) )
        echo $error_arr['display_error'];
    else
        echo 'Unknown error.';
} else
{
    echo 'API call time: '.$call_result['call_microseconds'].'ms<br/>'."\n";
    echo 'Call result:<br>'."\n".
    '<pre>';
    var_dump( $call_result['call_result'] );
    echo '</pre>';
}

For a secure connection, all API calls must be authenticated and made over HTTPS!

You can manage the API Keys from the Merchant Dashboard. You can have multiple API Keys if you define more sites – see Multiple Websites Management for details.