If you have not already done so, you need to prepare for a technical change we are introducing on the 5th January 2010.
The changes that we are making are designed to prevent cross site scripting (XSS) from being inserted onto an RBS WorldPay payment page (Redirect Model). This is an important security update in line with the latest industry standards to protect merchants and shoppers at the point when card details are entered onto one of our payment pages. We have communicated this information previously and the changes have already been applied to most merchants accounts - however some merchants used the option we provided to opt-out of the programme in order to have more time to prepare. On the 5th January the changes will be applied to the accounts of any merchants who opted out. If you opted-out and have not already done so, you need to ensure you check that your payments pages will continue to display correctly once we apply the changes on 5th January, when we will restrict the types of coding that will be accepted on the hosted payment page by introducing a list of permitted attributes, as described below.
Technical Notes for Web Developers
The changes that we are making are designed to prevent cross site scripting (XSS) from being inserted onto one of our hosted payment pages. This is an important security update in line with the latest industry standards to protect merchants and shoppers at the point when card details are entered onto one of our payment pages.
From 5th January any scripting will be suppressed on output to the web browser for all RBS WorldPay merchants (no exceptions or opt-out possible) - unfortunately this will prevent web applications such as Google Analytics from being used on our hosted payment pages but such coding may still be applied to a merchant's website at the merchant's own risk. We will restrict the types of coding that will be accepted on the hosted payment page by introducing a list of permitted attributes (often referred to as a 'whitelist') from the Open Web Application Security Project (OWASP)). Only codes that that are included on the reference list will be displayed when output to a web browser. Validation of all incoming data and appropriate encoding of all output data will prevent unauthorised scripts from running in the browser. NOTE: we announced previously that this change would take place on 23rd November 2009, but we had to reschedule.
We will be using the OWASP's 'AntiSamy' Project as a guide - for details please refer to AntiSamy Project allowed attribute list
The changes we are making will not affect the processing of payments as such. Although you do need to be aware that in cases where prohibited coding has already been used there maybe some visual changes to a payment page.
The changes we are making comply with Payment Card Industry Data Security Standards (PCI DSS). PCI DSS is a set of standards for payment account data security. For more information on PCI DSS please visit www.pcisecuritystandards.org
Customised Payment Pages?
Not sure if you have customised our standard payment pages. If the payment page your site uses includes your own company logo or it looks different when compared with the standard page (refer to our example payment pages) then you are using a customised payment page. However, to be more sure you can also check that your payment pages display as expected once we have made the changes in the Test Environment early August. To do so you log into the Test Environment and Preview the payment page and also submit a test transaction. If the page displays correctly and works in the way you expect it to, you need do no more. For details about how to Preview the payment page and submit a test transaction please refer to Previewing Your Payment Service Pages. To login to the test environment open www.rbsworldpay.com/bg/admin and select Test Merchant Interface.
Disabling and Re enabling the Whitelist
We will also provide you with the functionality to disable and re enable the whitelist in both the Test and Production Environments for several days after the 25th November - date to be advised - after which the whitelist will be enforced for all merchants.).
To disable the whitelist, please uncheck the 'Enable Whitelisting?' checkbox on the Installation Administration screen found in both the Test and Production Environments.
You can use this feature from August (date to be announced) in the Test Environment to determine whether you need to make any necessary coding adjustments by comparing how your payment pages display with the whitelist disabled, compared with having it enabled.
If you have customised your payment pages using HTML attributes that are no longer accepted by our system, then your payment pages may not display correctly to shoppers attempting to make purchases from your website. In which case, you can disable the whitelist from the Production Environment so that your payment pages continue to display correctly while you make the necessary coding adjustments.
Please note that you will only be able to disable the whitelist up until 5th January - after which it will be enforced in both Test & Production environments with no exceptions.
Redirecting Shoppers to RBS WorldPay Payment Pages
The measures we are introducing to prevent cross site scripting will no longer allow shoppers to be automatically redirected once they have submitted an order on your website to our payment pages. This change has been enforced as a result of the recent release of Internet Explorer 8 which, because of an incompatibility issue with the improvements we are making, resulted in an error message to shoppers warning about cross site scripting.
Unless you make some minor changes to your systems, shoppers wishing to purchase from your website will now be presented with an additional webpage containing a ‘clickable’ redirect button in order that they can be transferred to the RBS WorldPay payment pages. However, you can avoid this further step in your payment service altogether by replacing the submission URLs used by your system to send purchase token details to our payment service. If you wish to bypass the additional webpage containing a manual redirect button, then please update your website or shopping cart software with the submission URL:
Old URL: https://select.worldpay.com/wcc/purchase
New URL: https://secure.wp3.rbsworldpay.com/wcc/purchase
Please contact our Technical Support team if you need further help or guidance by emailing support@rbsworldpay.com.
