WL SIPS DOCS

Release 24.6

go directly to content

Search by keywords

Sips information systems security

To search in the page use Ctrl+F on your keyboard

Worldline Sips Is a secure multi-channel e-commerce payment solution that complies with PCI DSS. It allows you to accept and manage payment transactions by taking into account the business rules related to your activity (payment on delivery, deferred payment, recurring payment, payment in instalments, etc.).

Our solution is completely secure and easy to implement. It is based on a set of components, technologies, and operating procedures that, in compliance with the latest standards and regulations related to electronic payment (GDPR, PCI DSS, ISO standards), make it your solution of complete confidence in the processing of cardholder data.

The Worldline Sips solution has been PCI DSS certified since 2006 and, thank to this security standard, ensures data protection for card holders.

The solution meets your needs with a variety of secure interfaces that suit your business.

The Worldline Sips solution secures card data through a tokenisation process.

The tokeniser principle is to associate a single token for a given card number: this assigned token is non-reversible and does not make it possible to find the card number.

The token is a number shared by you and Worldline Sips and replaces the credit card number (PAN) securely.

Token usage is a simple method that contributes to the PCI DSS compliance.

Messages exchanged between you and Worldline Sips are signed by encryption keys.

Worldline Sips security keys ensure:

  • your authentication
  • the authorisation request from the cardholder's bank
  • data privacy, as data is encrypted over the Internet
  • the integrity of data exchanged

Depending on the type of connector used, security is either provided by a secret key (for HTTPS connectors) or by X509 certificates (used to secure web-service type connectors).

To secure the online payment process, Worldline Sips shares a secret key with you, which allows Worldline Sips to authenticate you when you call Sips Paypage or Sips Office.

Having identified you, Worldline Sips redirects the buyer to the payment pages.

Worldline Sips certificate-based encryption is used to secure data exchanges through Worldline Sips web-services.

This certificate includes a public key and a private key:

  • Messages are encrypted with the public key and can be decrypted using the private key only.
  • Messages are signed with the private key, the public key is used to identify the sender.

Using an ID and a password provides access to the Worldline Sips interfaces with the associated rights. The user can log out at any time. To ensure the security of users, the implemented security policy requires the following:

  • enter a new password the first time you log in
  • frequent password renewal (valid for three months)
  • the password must have a minimum length of 10 characters and must include:
    • at least one alphabetic character
    • at least one digit
    • at least one special character
  • the password must be different from the last four passwords used

All of these contribute to securing the data.

Resources are pooled for all customers of the Worldline Sips offers: same databases, same application servers.

Each merchant is associated with a commercial offer itself associated with a technical offer. Following the authentication step to an application, it is the application itself that ensures the compartmentalisation of merchants and their webshops.

Securing exchanges of internal Worldline files and external customer files is ensured by our file transfer gateway set up in a mutualised bubble that is subject to all the management restrictions and procedures imposed by the PCI DSS standard.

Data exchanges by secure file transfer or secure web services implement:

  • an authentication by identification (user/password) on the Secure File Transfer Protocol (SFTP) server
  • a SSL/TLS (TLS 1.2) encrypted protection of streams exchanged for FTPS and PeSIT protocols
  • a SSH (two-key) encrypted protection of streams exchanged for SFTP.

The HyperText Transfer Protocol (HTTP) allows you to connect to a web server and transfer data over the web. But this protocol is not secure, which means that an evil-minded third party could intercept and read such data.

Its secure variant, the Secure HyperText Transfer Protocol (HTTPS) adds a Secure Socket Layer (SSL) / Transfer Layer Security (TLS) protocol to HTTP. Not only does this additional protocol ensure data integrity and encryption (which makes it unreadable by a third party) during transmission, it also allows the holder of an SSL/TLS certificate used on a website to be authenticated, thanks to a "padlock" icon displayed next to the URL in the user's browser. This authentication is done through the use of a X509 digital certificate issued by a Certificate Authority (CA).

Worldline Sips data flows exchanged via the web are secured by using TLS version 1.2.

The TLS protocol consists of:

  • A "negotiation" between the customer and the server ("handshaking"), during which cryptographic algorithms (also referred to as the "cipher suite") are negotiated based on the customer's and server capabilities, with the creation of a session key at the end of this phase.
Note: the server and the customer are authenticated during this phase.
  • a session during which the session key is used to securely exchange data.

The Worldline Sips solution is a bi-site implementation to provide a disaster recovery plan across all layers, systems, and applications.

Each Worldline Sips technical component on each site and the file transfer platform are redundant and configured for load balancing.

If a unit equipment is down, the load distribution is automatically adapted by eliminating the faulty equipment from the flow.

The disaster recovery plan will be activated to deal with extreme faulty situations: fire, water damage, major accident, seismic or weather phenomenon, flood, air conditioning failure, loss of power, loss of telecommunications equipment, hardware failure (DRP), jeopardisation of staff availability, etc.

To ensure the resuming or continuity of critical business, Worldline has implemented a Business Continuity Plan (BCP).

This continuity plan is not limited to the continuity of services/applications, it also takes into account the retreat of users, the health risk (epidemic, pandemic), the coordination steps for crisis management (labour contrainsts, crisis centre, etc.), crisis communication, business-related workaround measures, cross-functional positions (HR, logistics).

Business continuity plan tests are conducted every year and are intended to test that all Worldline Sips service URLs are able to accommodate all flows on a single site in the event of a major incident.

Implemented by Visa and Mastercard under the respective trade names Verified by Visa and MasterCard SecureCode, 3-D Secure allows you to limit the risks of internet fraud, related to misused identity attempts.

If you have subscribed to the 3-D Secure service, this subscription offers security benefits for both the internet user and yourself: you can be sure your customer is the holder.

For more information on this service, please refer to our 3-D Secure guide.

Worldline has a fraud risk management offer based on:

  • self-management of fraud control criteria and, therefore, of transaction blocking (Go-No-Go solution) according to your criteria and business requirements
  • transaction reliability assessment by computing a score associated with the transaction (Business Score solution).
  • the presence of an anti-carding system to discourage the huge generation of transactions using stolen or generated card numbers (carding).

PCI DSS is an international security standard whose objectives are to ensure the confidentiality and integrity of cardholders’ data, thereby securing card and transaction data protection. Merchants and payment providers are required to comply with this standard, to varying degrees depending on the importance of their business.

Worldline is PCI DSS certified and implements, among other things, the following security actions:

  • information system security policy
  • premises monitored and protected by access control
  • secure servers and backed up data
  • regularly audited information system
  • highly secure hosting centres

logo PCI DSS

Worldline is responsible for the security of cardholers' data, but the company is not responsible for the PCI DSS compliance of its clients.

Please have a discussion about this with your acquiring institution.

In order to comply with PCI DSS, you are asked to fill in a more or less extensive questionnaire depending on the type of payment solution implemented. This questionnaire is to be returned to your acquiring bank once a year (see the 'SAQ' section).

You will need to show your PCI DSS certificate of conformity to your acquiring bank as soon as possible.

This certificate of conformity is declarative and you will be required to complete a Self-Assessment Questionnaire (SAQ) that will allow you to know whether you are compliant or not with the PCI DSS requirements.

So your approach to SAQs is a two-step process:

FIRST STEP: DETERMINE THE LEVEL YOU BELONG TO

Whether you accept a few payments per card per year or millions, you will be classified into one of the following four levels defined by international schemes.

Level Type of activity Actions required
for compliance
1 Any merchant processing more than 6 million Visa or Mastercard transactions per year.
Any merchant who has been compromised.
On-site security audit (or SAQ for Visa Europe).
Quarterly vulnerability scan (if e-commerce).
2 Any merchant processing from 1 to 6 million Visa or Mastercard transactions per year. Annual self-assessment questionnaire.
Quarterly vulnerability scan (if e-commerce).
3 Any merchant processing from 20,000 to 1 million Visa or Mastercard transactions per year.
4 Any merchant processing less than 20,000 Visa or Mastercard e-commerce transactions per year.
All other merchants processing up to 1 million Visa or Mastercard transactions per year.
Annual self-assessment questionnaire.
Quarterly vulnerability scan is recommended (if e-commerce) (depends on whether data is captured, stored, or transmitted by the merchant infrastructure or by a service provider).

If in doubt, take the number of transactions per card brand, contact your acquiring bank and ask for confirmation of your level. Acquiring banks have the ultimate decision-making power over the levels of their merchants, so you need to check your assumptions with your bank.

STEP TWO: DETERMINE WHAT YOU NEED TO SUBMIT FOR VALIDATION.

Once you have identified the level you belong to, you will be able to determine what you need to provide to your acquiring bank.

If you are Level 2 to 4, you must complete a self-assessment questionnaire that is appropriate for your activity. Self-assessment questionnaires are documents that contain a series of questions that you must answer.

There are three types of SAQ covering the Worldline Sips offer: A, A-EP AND D.

Type of SAQ Description Number of
questions
(version 3.2)
A Card not present: all payment processing features are outsourced, no electronic cardholder data storage.
Merchants with no card (e-commerce or mail/phone orders) and that have completely outsourced all cardholder data features to third-party service providers that comply with PCI DSS, without storage, electronic processing or transmission of cardholder data to the merchant's systems or premises.
22
A-EP E-commerce redirected to a third party, PCI compliant service provider for payment processing, no electronic cardholder data storage.
E-commerce merchants that outsource all payment processing to PCI DSS-approved third parties and who have one or more websites that do not directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing or transmission of cardholder data on the merchant's systems or premises.
193
D-Merchant All other merchants or those who electronically store cardholder data. 331

The General Data Protection Regulation (GDPR) is a regulation put in place by the European Union to oversee the collection and processing of personal data in Europe.

Its purposes are to strengthen the rights of individuals, to empower the various stakeholders with respect to data processing and to give credence to the regulations in place. This regulation is a continuation of the CNIL (Commission Nationale de l'Informatique et des Libertés), a French administrative body created in 1978 to ensure respect for privacy during the computer processing of personal data.

On the other hand, the GDPR terminates the previous reporting obligations to the said CNIL, since the latter may now conduct checks at any time.

To ensure and prove its compliance with privacy, Worldline has followed and implemented the 6 CNIL advisory steps:

  1. appoint a data protection officer
  2. map data processing
  3. define corrective actions
  4. analyse/manage risks
  5. set up internal procedures
  6. document compliance

As part of the Worldline Sips offer, Worldline has a subcontractor role (within the meaning of the GDPR, otherwise called "data processor"), on behalf of its customers, who are responsible for processing (within the meaning of the GDPR, otherwise called "data controller").

The challenges are:

  • To combat cyber-malicious acts in all their forms, including e-mail diversion, the theft of browser cookies, the spread of malicious files, the theft of bank details, ransomwares.
  • To ensure that this data, in the event of a theft, is unusable and therefore incomplete or encrypted.

It is therefore a matter of protecting the people concerned by an appropriate processing of their personal data and of making responsible those involved in such a processing.

Attention: in the event of non-compliance with the GDPR, several sanctions may be applied to companies. Article 5827 of the GDPR gives the CNIL the power to put in place dissuasive actions in order to combat non-compliances referring to the provisions of the GDPR.

Personal data that you may be required to collect and/or process is data that identifies an individual in a direct or indirect way:

  • examples of direct data -> last name, first name
  • examples of indirect data -> login ID, IP address, phone umber, e-mail.

Some of this data is said to be "sensitive": IBAN, social security number, credit card number for example.

IMPORTANT: as a merchant, you are responsible for the data you collect and/or process. So you need to do a risk analysis and look at how to secure that data.

As a contractor, Worldline has committed to:

  • processing personal data only for the purpose of proper service execution
  • implementing security standards to provide a high level of security to our services
  • notifying you as soon as possible in the event of a data breach
  • helping you meet your regulatory obligations by providing you with adequate documentation about our services.
IMPORTANT: transactional data is stored in our databases for 18 months. The cards enrolled in the Worldline Sipswallet are deleted 3 months after the expiry date

Here is the list of tracers used in the interfaces Worldline Sips:

Table 1. Sips Paypage and Sips Walletpage (last update 11/24/2023)
Tracer name Nature of tracer Tracer type Aim Storage period Supplier
PAYPAGE_SESSIONID Cookie "Necessary" tracer Retrieves the buyer's payment session. Payment session None
respctx Cookie "Necessary" tracer Cookie added by network equipment, used to secure requests. Payment session None
respctx Session storage "Necessary" tracer This variable is stored in the browser session and redirects the browser to the merchant site from which the payment request originated. Payment session None
X-SDPX-PID (Addition in Jan. 2022) Cookie "Necessary" tracer Stores the identifier associated with the payment request in the logs. Identify resources provided by apaches (images / JS) and track requests for the same payment request. Payment session None
Table 2. Sips Office Extranet (last update 11/22/2023)
Tracer name Tracer nature Tracer type Aim Storage period Supplier
SOE_SESSIONID Cookie "Necessary" tracer Allows you to retrieve the user's session. User session None
TSxxxxxxxx Cookie "Necessary" tracer Cookie added by network equipment, used to secure requests. User session None
Style Cookie "Necessary" tracer Allows you to retain the user style choice 1 year None
Table 3. Merchant Extranet (last update 11/22/2023)
Tracer name Tracer nature Tracer type Aim Storage period Supplier
MEX_SESSIONID Cookie "Necessary" tracer Allows you to retrieve the user's session (cookie générique). User session None
Table 4. CustomPages (last update 11/23/2023)
Tracer name Tracer nature Tracer type Aim Storage period Supplier
MEX_SESSIONID Cookie "Necessary" tracer Allows you to retrieve the user's session (generic cookie). User session None
_mc_data Cookie "Necessary" tracer Retrieves information on the previously selected merchant 2 min None
o_data Cookie "Necessary" tracer Allows you to find the current offer 1 week None
_static_page_generator_mode Cookie "Necessary" tracer Selects between "SIMPLE" and "EXPERT" mode 1 week None
Table 5. Fraud tab in the Merchant Extranet (last update 22/11/2023)
Tracer name Tracer nature Type du traceur Aim Storage period Supplier
FRAUD_SESSIONID Cookie "Necessary" tracer Allows you to retrieve the user's session (cookie générique). User session None
GUIFRAUD_CSRF-TOKEN Cookie "Necessary" tracer Secures REST calls with a token Session duration None
Table 6. Download tab in the Merchant Extranet (dernière màj 22/11/2023)
Tracer name Tracer nature Tracer type Aim Storage period Supplier
DWNLD_SESSIONID Cookie "Necessary" tracer Allows you to retrieve the user's session. User session None
DWNLD3_CSRF-TOKEN Cookie "Necessary" tracer Secures REST calls with a token User session None
Table 7. Sips In-App on Android (last update 11/22/2023)
Tracer name Tracer nature Tracer type Aim Storage period Supplier
  • Operator
  • Rooted phone (true ou false)
  • Emulator detector (true ou false)
  • androidVersionAPI
  • Debugger detector (true ou false)
  • Is screen on (true or false)
deviceContext "technical" tracer Enables incident resolution in the event of technical problems 190 days None
Table 8. Sips In-App on iOS (last update 11/22/2023)
Tracer name Tracer nature Tracer type Aim Storage period Supplier
  • Kernel version
  • Carrier (operator)
  • Jail broken (true ou false)
  • Time zone
  • Debugger detector (true ou false)
  • Identifier For Vendor (UUID)
  • iOS version
  • Hash of In-App SDK
  • Kernel host name
  • Simulator detector (true ou false)
deviceContext "technical" tracer Enables incident resolution in the event of technical problems 190 jours None
Table 9. 3DS-Server for 3DSv2 (last update 11/22/2023)
Tracer name Tracer nature Tracer type Aim Storage period Supplier
acceptHeader Browser "technical" tracer Content accepted by the browser - Scoring calculation, fraud prevention Payment session DS/ACS
ip Browser "technical" tracer User IP - Scoring calculation, fraud prevention Payment session DS/ACS
javaEnabled Browser "technical" tracer Activation of javascript in the browser - Scoring calculation, fraud prevention Payment session DS/ACS
language Browser "technical" tracer Browser language - Scoring calculation, fraud prevention Payment session DS/ACS
colorDepth Browser "technical" tracer Color depth - Scoring calculation, fraud prevention Payment session DS/ACS
screenHeight Browser "technical" tracer Screen size - Scoring calculation, fraud prevention Payment session DS/ACS
screenWidth Browser "technical" tracer Screen size - Scoring calculation, fraud prevention Payment session DS/ACS
tz Browser "technical" tracer Time zone - Scoring calculation, fraud prevention Payment session DS/ACS
userAgent Browser "technical" tracer UserAgent used by the browser - Scoring calculation, fraud prevention Payment session DS/ACS

ISO 9001 is an international quality management standard that can be used by all organisations.

This standard specifies the requirements for implementing a quality management system, requirements to be used internally or for certification or contractual purposes. This standard focuses on the effectiveness of the quality management system in meeting customers' requirements.

The 9001 certification is carried out with an external Ernst & Young auditor.

ISO 14001 is an international standard that specifies requirements for environmental management systems. It is aimed at organisations that want to improve their performance and achieve their environmental and sustainable development goals, in other words, to control and manage their impact on the environment systematically.

The 14001 certification is carried out with an external Ernst & Young auditor.

ISO 27001 is the internationally recognised standard for information security management in organisations. Security audits are typically structured around this standard.

The standard describes the requirements for the implementation of an Information Security Management System (ISMS).

The ISMS identifies security measures, within a defined scope, so as to guarantee the protection of the organisation's assets.

The goal is to protect functions and information from loss, theft or alteration, and computer systems from any intrusion and disaster.

The 27001 certification is carried out with an external Ernst & Young auditor.

As part of its acceptance of Bancontact payment methods (Belgium), Worldline Sips has been certified as compliant with Bancontact security requirements.

Certification audit carried out by Galitt and Bancontact.

At the end of the audit, Bancontact issues a "Full Security Certification" certificate.

This site uses trackers to improve your experience, perform analysis and researches on your use of WL Sips documentation website.
You have several options:
Closing this banner you refuse the use of trackers on your device.

Configuration