Base Commerce Technical Documentation

Base Commerce Security Model

All of the requests that are submitted to the Base Commerce Platform are transmitted via a HTTPS connection. In addition to the utilization of the SSLv3 protocol, we also require that the payload (financial information) of the request and responses be Triple DES Encrypted.

Public Network

Each merchant and development partner issued a unique username, password, and transaction key that is used when communicating with the platform. On the client side of the SDK the transaction key is used to Triple DES encrypt the payload of the request which is then submitted to our servers along with the username and password via SSL where our servers retrieve the key associated with the username and password to decrypt the request. This added layer of encryption provides protection against compromised SSL certificates and man in the middle attacks.

In additional to secure coding practices, Base Commerce also uses a physical layer of protection in card holder present environments. By selecting a device form our approved hardware list your card holder data will be encrypted at the magnetic head when the card is swiped using a unique key for each transaction on each device (This is known as the DUKPT key management scheme:http://en.wikipedia.org/wiki/Derived_unique_key_per_transaction ). This added layer of protection in the physical world protects against malicious software that may be installed on the devices of your users which is what lead to the largest card holder data breach in 2014 at Target and several other retailers.