Release Notes
Masking Customer Information over Less-secure Channels Change
Overview
We have introduced the following mandates for your Integration with Amazon Payment Services:
-
The return_url, or the Redirection URL to handle the response returned from Amazon Payment Services be set as POST Method. Please ensure the POST Method is selected for Return URL Type in your Account under ‘Technical settings’.
-
All transaction responses returned from Amazon Payment Services to be returned over HTTPS only. Please ensure that the Redirection, Direct Feedback, and Notification Feedback URLs in your Technical Settings are configured with https URLs and the return_url submitted in your request is HTTPS. (please see below for steps to make the update).
If return responses are not secured through HTTPS URLs for transaction notifications or are not using POST method in return_url or redirection URL, we will mask customer information returned in the response to protect privacy and payment data. We will start the roll-out on 04-04-2021 in the Sandbox environment and on 04-25-2021 in the Production environment.
Note:
This change will not impact payment processing for your customers’ transactions, but will only mask response parameters if less secure methods (HTTP URLs or GET Method) are configured in your account for transaction feedback and return URL. The following response parameters will be masked when being transmitted over HTTP is used for transaction notifications or GET for return_url or redirection URL:
-
card_number: The card number will be returned over secure channel (HTTPS URL and POST Method) as per the card masking method configured in your Technical Settings like: 123456******1234 or ************1234 ; while in theses secure channel (HTTP URLs or GET Method), it will be returned as fully masked data like: ***************** in the response and in your Account under Request / Response log.
-
expiry_date: The expiry_date will be returned over secure channel (HTTPS URL and POST Method) as clear data like: 2105; while over the less secure channel (HTTP URLs or GET Method), it will be returned as fully masked data like: **** in the response and in your Account under Request / Response log.
-
customer_name: The customer_name will be returned over secure channel (HTTPS URL and POST Method) as clear data like: John Smith; while over the less secure channel (HTTP URLs or GET Method), it will be returned as fully masked data like: ****** in the response and in your Account under Request / Response log.
-
customer_email: The customer_email will be returned over secure channel (HTTPS URL and POST Method) as clear data like: customer@domain,com; while over the less secure channel (HTTP URLs or GET Method), it will be returned as fully masked data like: ************ in the response and in your Account under Request / Response log.
-
customer_ip: The customer_ip will be returned over secure channel (HTTPS URL and POST Method) as clear data like: 190.1.1.1 ; while over the less secure channel (HTTP URLs or GET Method), it will be returned as fully masked data like: ******** in the response and in your Amazon Payment Services Account under Request / Response log.
-
phone_number: The phone_number will be returned over secure channel (HTTPS URL and POST Method) as clear data like: 0097150123456 ; while over the less secure channel (HTTP URLs or GET Method), it will be returned as fully masked data like: *********** in the response returned and in your Account under Request / Response log.
-
card_holder_name: The card_holder_name will be returned over secure channel (HTTPS URL and POST Method) as clear data like: John Smith; while over the less secure channel (HTTP URLs or GET Method), it will be returned as fully masked data like: ****** in the response and in your Account under Request / Response log.
-
sadad_olp: The sadad_olp will be returned over secure channel (HTTPS URL and POST Method) as clear data like:SABBP2P_UAT while over the less secure channel (HTTP URLs or GET Method), it will be returned as fully masked data like: ****** in the response and in your Account under Request / Response log.
Please check the following video to successfully transition to POST and HTTPS:
Note: Please make sure that your return_url or Redirection URL handles the responses as POST Method before applying this change in your Production Account, If you’re not getting the expected result, please contact our Integration Team at:integration-ps@amazon.com.