Find Answers

Find Answers

Specified Languages
British English
English

CyberSource Akamai Updates - Frequently Asked Questions


Doc ID:    C1683
Version:    5.0
Status:    Published
Published date:    06/14/2016
Updated:    06/14/2016
 

Answer

What is Akamai?

Akamai is a third-party, cloud-based service that efficiently routes Internet traffic via a distributed network of servers - comprised of over 100,000 dynamic IP addresses. CyberSource will employ Akamai to enhance service delivery outside the VISA/CyberSource network.
 

When will Akamai be implemented?

CyberSource is no longer planning to migrate the routing used for legacy API endpoints. This was originally scheduled to occur June 30. Merchants may elect to switch to the Akamai-enabled API endpoints at their convenience, as no automated switchover will occur.

CyberSource strongly encourages all merchants to implement the changes necessary to begin processing on the Akamai-enabled infrastructure as soon as possible, as the Akamai-enabled ‘a’ endpoints are currently available for both Production and Test environment traffic. This will allow for maximum uptime benefit due to the improved routing efficiencies and mitigation of future internet anomalies.

Akamai is available for testing now in our test environment. We strongly encourage you to test your solution prior to making any production change so that you do not experience any disruptions to your transaction processing.
 

Why is Akamai being implemented?

With their extensive network of servers and IP addresses, Akamai is able to route traffic faster and more efficiently.

Akamai's technology will also provide CyberSource a superior level of communication reliability, as Akamai helps safeguard against interruptions caused by issues beyond our direct control, such as internet congestion, fiber cable cuts and other issues.
 

What are the four new URLs for transaction processing?

The new Akamai-enabled transaction endpoint URLs are as follows:

Connection Type

Environment

Akamai-Enabled Endpoint

SCMP

Test

http://ics2testa.ic3.com

SCMP

Production

http://ics2a.ic3.com

SOAP/Simple Order API

Test

https://ics2wstesta.ic3.com/commerce/1.x/transactionProcessor/

SOAP/Simple Order API

Production

https://ics2wsa.ic3.com/commerce/1.x/transactionProcessor/

Please contact your web developer or solution provider for assistance in configuring your implementation to use one of these new Akamai URLs.
 

Are the current/legacy API transaction URLs changing?

No. The existing transaction URLs for use with SCMP, Simple Order API, and SOAP Toolkit applications are not changing and will remain in service.
 

What actions should I take to prepare my SCMP API payment application for this change?

Merchants using a version of the SCMP API must first test, then reconfigure transaction processing to use the new 'a' endpoints in the Test and Production environments (listed above) to ensure that their firewall configurations will allow connections to the Akamai-based endpoints and that their version of the SCMP API client can handle this connection as well. All currently-available versions of the SCMP API clients on our Downloads Page will work with this Akamai routing technology. These can be downloaded here:

     http://www.cybersource.com/developers/integration_methods/legacy_integrations/
 

What actions should I take to prepare my SOAP Toolkit or Simple Order API payment application for this change?

Merchants using either the SOAP Toolkit or Simple Order API clients must also test, then reconfigure transaction processing to use the new 'a' domain endpoints in the Test and Production environments (listed above). Merchants should verify that their application trusts the new GeoTrust-signed security certificates used on these endpoints and their firewall permits communication via the Akamai cloud as described below.

The GeoTrust security certificates for the ics2wstesta.ic3.com and ics2wsa.ic3.com domains can be exported from the sites themselves via the browser: 

     1.  Navigate to the domains, e.g., https://ics2wstesta.ic3.com
     2.  Click the padlock icon
     3.  View/Export the certificates
 

You may also download the root and intermediate-level certificates from the attachment to the following article:

https://support.cybersource.com/cybskb/index?page=content&id=C1688


CyberSource recommends adding the 'intermediate' level certificate (the "GeoTrust SSL CA - G3" file) to your trusted certificate repository as this will give you access to both the Test and Production environment API endpoints.

                 

In addition, verify that your firewall configuration permits outbound traffic to flow to CyberSource via the Akamai-enabled endpoints by configuring your outbound firewall to allow resolution to "ANY" IP addresses for these transaction endpoints.
 

Does this change affect me if I only use the Virtual Terminal or Enterprise Business Center?

No. If you use only the Virtual Terminal or Enterprise Business Center, no updates are necessary as these are both browser-based entry points.
 

My firewall has whitelisted CyberSource's IP addresses for outbound connections. What do I need to do to use Akamai?

If your solution uses a firewall to filter outbound connections, make sure that the firewall is set to permit outbound traffic to flow to the Akamai cloud by configuring your outbound firewall to "ANY."

 

I connect to CyberSource directly via an IP address. What do I need to do to use Akamai?

If your solution connects to CyberSource directly via an IP address, you will need to update it to connect by domain name. Continuing to connect directly via an IP address is strongly discouraged as you will not receive the benefits of routing through Akamai, and you could suffer a loss of service if transactions are re-routed among our various datacenters.
 

How can I test my site/solution to make sure it will work when I make these changes?

Akamai is available for testing now in our test environment using the corresponding 'a' domain endpoints. We strongly encourage you to test your solution prior to making any production change so that you do not experience any disruptions to your transaction processing.
 

Are there any PCI DSS implications to permitting outbound traffic in my firewall?

Your transactions will be routed via the Akamai cloud. The sheer number of potential addresses involved, over 100,000 dynamically addressed proxies, makes whitelisting impractical. Therefore, your outbound firewall must be configured to "ANY."

The Payment Card Industry Data Security Standard (PCI-DSS) allows this type of rule under normal circumstances. The core principle is to employ least privilege and only allow "authorized" traffic to be sent, which is what you will be sending to CyberSource.

PCI-DSS Sections 1.2 and 1.3 require that you restrict unnecessary traffic from traversing the payment data network. In this case, you are routing traffic to CyberSource domains, a trusted party, via the Akamai cloud (Akamai picks up your traffic at the nearest proxy and routes it to the CyberSource datacenter).

We strongly recommend that you continue to restrict inbound traffic to your whitelisted IP addresses, and to traffic resulting from an outbound session. Other controls in your environment should address exfiltration of data.

In addition, if your production environment handles payment data, you should use a network demilitarized zone (DMZ) with firewalls allowing connections only between the DMZ and the production environment. Your DMZ should allow connections from it to any outside Internet connection, but should limit inbound connections to those necessary for your business.

A DMZ is required by PCI DSS if you handle payment data in your production environment, and is a security best practice if you handle sensitive data of any sort. For more details please read the document, PCI Card Production - Logical Security Requirements.

Please contact your solution provider or developer to confirm whether the DMZ requirement applies to your situation.

Rate This Item