English

TLS Security and Communication Settings

We regularly review our security settings and try to find an optimal balance between maximum security and backward compatibility. Due to current developments in communication standards and regulatory requirements, it is nevertheless necessary to make occasional adjustments to our communication endpoints.

SSL Certificates

SSL certificates are used to encrypt the data-transfer between you and the Saferpay payment gateway. As threats grow more frequent and also dangerous, it is necessary to frequently change these certificates.

For most systems, this may not be an issue, however there are cases, where you -the merchant- may be in need of getting said certificates, for example in case of a trust-store, where your system only trusts certificates, that have been added to the trust store.

For further information and a download of all the relevant certificates, please follow this link.

TLS Version

For encrypted communication (HTTPS) with Saferpay, TLS 1.2 must be used as protocol for transport encryption. Unencrypted communication (HTTP) or earlier versions of TLS or SSL are not supported.

Cipher Suites

Furthermore, at least one of the following encryption algorithms (Cipher Suites) must be used to establish a connection to Saferpay:

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Hosts, IP Addresses and ports, used by Saferpay

In some cases it may be necessary to whitelist the outgoing and especially incoming hosts inside your firewall.

Incoming

The following hosts are for incoming connections towards Saferpay:

  • www.saferpay.com for connecting to the production environment

  • test.saferpay.com for connecting to the sandbox (test environment)

Outgoing

The following hosts are for outgoing connections towards the merchant:

When possible, please whitelist the host wave.six-group.com.

Should this not be possible, you should implement an IP lookup against this host, maybe once every month, e.g.

nslookup wave.six-group.com

Any kind of authentication towards the merchant-system -e.g. client certificate-, is currently not supported by Saferpay.

Are both options not available to you, you can find the outgoing IPs below.

Please note that the IP addresses listed below may change on short or even without prior notification. We highly recommend using one of the previously mentioned options instead.

153.46.105.98 153.46.244.84 153.46.97.98 153.46.105.121 193.247.180.4 153.46.97.94 153.46.97.121

Ports

For both, incoming and outgoing, Saferpay will use the standard http(s) ports 80 and 443. Other ports are currently not supported.

PreviousData Security and PCI DSSNext3-D Secure

Last updated