Skip to content

Release Notes

Masking Customer Information over Less-secure Channels Change

Overview

We have introduced the following mandates for your Integration with Amazon Payment Services:

  • The return_url, or the Redirection URL to handle the response returned from Amazon Payment Services be set as POST Method. Please ensure the POST Method is selected for Return URL Type in your Account under ‘Technical settings’.

  • All transaction responses returned from Amazon Payment Services to be returned over HTTPS only. Please ensure that the Redirection, Direct Feedback, and Notification Feedback URLs in your Technical Settings are configured with https URLs and the return_url submitted in your request is HTTPS. (please see below for steps to make the update).

If return responses are not secured through HTTPS URLs for transaction notifications or are not using POST method in return_url or redirection URL, we will mask customer information returned in the response to protect privacy and payment data. We will start the roll-out on 04-04-2021 in the Sandbox environment and on 04-25-2021 in the Production environment.

Note:

This change will not impact payment processing for your customers’ transactions, but will only mask response parameters if less secure methods (HTTP URLs or GET Method) are configured in your account for transaction feedback and return URL. The following response parameters will be masked when being transmitted over HTTP is used for transaction notifications or GET for return_url or redirection URL:

  • card_number: The card number will be returned over secure channel (HTTPS URL and POST Method) as per the card masking method configured in your Technical Settings like: 123456******1234 or ************1234 ; while in theses secure channel (HTTP URLs or GET Method), it will be returned as fully masked data like: ***************** in the response and in your Account under Request / Response log.

  • expiry_date: The expiry_date will be returned over secure channel (HTTPS URL and POST Method) as clear data like: 2105; while over the less secure channel (HTTP URLs or GET Method), it will be returned as fully masked data like: **** in the response and in your Account under Request / Response log.

  • customer_name: The customer_name will be returned over secure channel (HTTPS URL and POST Method) as clear data like: John Smith; while over the less secure channel (HTTP URLs or GET Method), it will be returned as fully masked data like: ****** in the response and in your Account under Request / Response log.

  • customer_email: The customer_email will be returned over secure channel (HTTPS URL and POST Method) as clear data like: customer@domain,com; while over the less secure channel (HTTP URLs or GET Method), it will be returned as fully masked data like: ************ in the response and in your Account under Request / Response log.

  • customer_ip: The customer_ip will be returned over secure channel (HTTPS URL and POST Method) as clear data like: 190.1.1.1 ; while over the less secure channel (HTTP URLs or GET Method), it will be returned as fully masked data like: ******** in the response and in your Amazon Payment Services Account under Request / Response log.

  • phone_number: The phone_number will be returned over secure channel (HTTPS URL and POST Method) as clear data like: 0097150123456 ; while over the less secure channel (HTTP URLs or GET Method), it will be returned as fully masked data like: *********** in the response returned and in your Account under Request / Response log.

  • card_holder_name: The card_holder_name will be returned over secure channel (HTTPS URL and POST Method) as clear data like: John Smith; while over the less secure channel (HTTP URLs or GET Method), it will be returned as fully masked data like: ****** in the response and in your Account under Request / Response log.

  • sadad_olp: The sadad_olp will be returned over secure channel (HTTPS URL and POST Method) as clear data like:SABBP2P_UAT while over the less secure channel (HTTP URLs or GET Method), it will be returned as fully masked data like: ****** in the response and in your Account under Request / Response log.

Please check the following video to successfully transition to POST and HTTPS:

Note: Please make sure that your return_url or Redirection URL handles the responses as POST Method before applying this change in your Production Account, If you’re not getting the expected result, please contact our Integration Team at:integration-ps@amazon.com.


Frequently Asked Questions for Masking Customer Information over less-secure Channels Change:


I'm using one of your ready plugins. Is there any change required from my side upon these mandates ?

Our plugins handle the responses as POST Method with https URLs, you just need to check your Technical Settings configurations in your Test and Production accounts to ensure that the Return_Url Type option is set as "POST" and the Direct Feedback URL [which is your host to host URL] configured is https. There will be no Impact on the payment processing at your shop upon this change.


I'm using Shopify e-commerce platform, Is there any change required from my side upon these mandates ?

Our Integration with Shopify supports returning the response as POST Method with https URLs, you just need to check your Technical Settings configurations in your Test and Production accounts to ensure that the Return_Url Type option is set as "POST" and the URLs configured under this tab are https. There will be no Impact on the payment processing at your shop upon this change.


I'm using your PHP / .NET SDK, Is there any change required from my side upon these mandates ?

Our PHP and .NET SDKs handle the responses over POST Method with https URLs, you just need to check your Technical Settings configurations in your Test and Production accounts to ensure that the Return_Url Type option is set as "POST" and the URLs configured under this tab are https. There will be no Impact on the payment processing at your shop upon this change.


I'm using your Android / IOS SDKs , Is there any change required from my side upon these mandates ?

If you are handling the responses received from Amazon Payment Services through the Direct or Notification Feedback URLs configured in your Account under Technical Settings, you need to ensure that these URLs configured are https, Otherwise, we won't require any further changes. No Impact on the payment processing at your shop upon this change.

Will the response signature calculations be impacted after masking the critical data received in the response ?

The signature calculation process will remain the same, you will include the masked parameters in the signature calculation as they are. If you face any signature calculation issue, please refer to the signature API reference here or contact our Integration Team at : integration-ps@amazon.com.


Is this mandate applicable for the Tokenization API Response received from Amazon Payment Services or it's only applicable for the Payment Operations Responses ?

This mandate is applicable for all APIs that require you to handle the response from the return_url, Redirection_ur, Direct Feedback and Notification Feedback Urls.


I'm using your Transactions Reports to extract the transactions data, will these critical data be masked in the Reports as well.

No, they won't be masked in the Reports.


I'm using Data Mine [Reporting API] to extract the transactions data, will these critical data be masked in the Reports as well.

No, they won't be masked in the Reporting APIs.


I'm displaying the card_number, expiry date and card_holder_name received from Amazon Payment Services for the registered customers who saved their card in my application, does this mandate impact my current implementation for the registered customers ?

If you are handling the response received from Amazon Payment Services as GET Method or through http URL, you will get the card_number, the expiry_date and the card_holder_name as fully masked values, and this will impact the current flow that you have implemented, to not impact your current implementation, please make sure to migrate to the POST and use https URLs to handle the response, in this case, you will get these details without masking. There will be no Impact on the payment processing at your shop upon this change.


I'm depending on the card_bin received from Amazon Payment Services to apply discounts on some certain bins, does this mandate impact my current banks discount implementation ?

If you are handling the response received from Amazon Payment Services as GET Method or through http URL, you will get the card_number which contain the card bin [first 6 digits] as fully masked value, this will impact the current flow that you have implemented, to not impact your current implementation, please make sure to change the Return_Url Type to POST and use https URLs to handle the response, in this case, you will get card_number response without masking. There will be no Impact on the payment processing at your shop upon this change.