February 3, 2015
Securing Your Environment With Access Tokens for API Requests
As an integrated payments provider, Shift4 proudly integrates to hundreds of point-of-sale and property management systems (PMS/POS) and certifies to new and customized interfaces to support our merchant customers’ business needs. Many of you work with third-party application program interface (API) developers on interfaces that enable communications between your PMS/POS and DOLLARS ON THE NET®. In order to further secure these communications, also known as API requests, we have set up a process that will authorize an interface whenever an API request is made, such as when your POS requests a sale or refund to be processed. After following a few simple steps, an Access Token will accomplish this for you.
When Does This Apply to Me?
A Shift4 merchant customer will need to give an interface the permission to retrieve an Access Token during interface installation after the API developer has certified or recertified an interface with Shift4.
What Is an Access Token?
An Access Token grants permission for an interface to process API requests through your DOLLARS ON THE NET account. An Access Token identifies a specific interface to a profit center or merchant identification number (MID) at the application level.
How Access Tokens Secure Your Environment
There are a few benefits to using Access Tokens to authorize communications between an interface and your PMS/POS:
- Access Tokens provide an added layer of security that prevents unauthorized access to your payment processing environment.
- A unique Access Token corresponds to each interface that interacts with a MID. For example, if your DOLLARS ON THE NET account has 100 MIDs using one interface, each MID will require that interface to present the correct Access Token to receive API requests. Conversely, if a single MID uses 20 different interfaces, each of those interfaces will have a unique Access Token to present when responding to an API request from that MID. This ensures that your PMS/POS only communicates with trusted interfaces.
- Your DOLLARS ON THE NET account administrator will have control over which interfaces are granted access, their access levels, and expiry options.
- In the event an Access Token is ever compromised, it will be limited to a single MID. The account administrator can generate a new Access Token and revoke the compromised token without experiencing an interruption in processing transactions.
Giving Vendors Access Tokens
After an interface has been certified or recertified with Shift4, your DOLLARS ON THE NET account administrator needs to generate an Auth Token (used for authentication) for that interface for each MID. The interface installer will then set up their interface to exchange that Auth Token with Shift4 for an Access Token. After that time, the interface will use the Access Token to respond to API requests from your PMS/POS, ensuring a truly secure payment environment.
For more information and detailed instructions about how to use Access Tokens, reach out to our 24/7/365 Customer Support team by emailing [email protected] or calling 702.597.2480 (option 2).