CollectBest Practices

Security Best Practices

Ensure secure integration and data handling with CrissCross

Overview

Security is a critical aspect of any payment processing solution. CrissCross enforces strict security protocols to ensure that merchant and customer data is protected throughout the transaction lifecycle. This document provides security best practices to follow when integrating CrissCross into your system.

Access Token Management

  • Manage OAuth Credentials:

    • Store your clientSecret securely and rotate it if you suspect compromise.
    • Use the Authentication guide to obtain short-lived access tokens.

  • Separate Environments:

    • Use different credentials for sandbox vs production to prevent cross-environment mistakes.

  • Keep Credentials Confidential:

    • Never hardcode clientSecret in source code.
    • Use environment variables or a secrets manager.

PCI Compliance

  • Understand PCI-DSS Requirements:

    • Merchants handling card data directly must comply with PCI DSS.
    • Use Hosted Checkout or Secure Fields to reduce PCI scope.

  • Limit Sensitive Data Exposure:

    • Avoid handling raw card data unless required for your integration choice.
    • Prefer Hosted Checkout or Secure Fields when possible.

Data Encryption

  • Encryption in Transit and at Rest:

    • Ensure all communication with CrissCross uses HTTPS to protect data in transit.
    • CrissCross encrypts sensitive data at rest to prevent unauthorized access.

  • Secure Storage Practices:

    • Do not store sensitive payment information locally unless absolutely necessary.
    • Use the tokens provided by CrissCross for subsequent transactions instead of storing card details.

Authentication and Access Control

  • Enforce Multi-Factor Authentication (MFA):

    • Use MFA for your CrissCross dashboard accounts to add an additional layer of security.

  • Role-Based Access Control (RBAC):

    • Limit access to sensitive data and features based on user roles.
    • Review and update access permissions periodically to avoid unnecessary access.

Use HTTPS and OAuth Tokens

Ensure all API calls are made over HTTPS and authenticated with OAuth access tokens. See the Authentication guide for the correct token flow and headers.

Monitoring and Alerts

  • Monitor for Suspicious Activity:

    • Use the CrissCross dashboard to track unusual API activity or payment patterns.
    • Set up notifications for failed login attempts or rate limit breaches.

  • Webhook Security:

    • Protect webhook endpoints with HTTPS.
    • Follow the Webhooks guide for verification and validation steps.

Handling Security Incidents

  • Incident Response Plan:

    • Prepare a plan for handling security incidents, including compromised keys or unauthorized access.
    • Revoke compromised API keys immediately via the dashboard.

  • Notify CrissCross Support:

    • In case of a security breach affecting CrissCross integration, contact support immediately for assistance.

Conclusion

Maintaining security in your CrissCross integration requires a proactive approach. By following these best practices for API key management, encryption, PCI compliance, and monitoring, merchants can minimize risks and ensure the safety of customer data.