1. Introduction

At PostFinance, your business continuity and security are our priorities. Therefore, we take data security and compliance very seriously and are doing regular audits and assessments to ensure our way to work and exchange data between you and us is fully compliant.

Therefore, when processing online transactions, it is instrumental that you implement the highest security standards possible in your IT infrastructure.
To avoid any kind of data breach (i.e. card numbers, your customer's persona data), a key aspects is to ensure that you are using
the POST method with transaction data in the body of the HTTP payment requests for sending payment requests to a payment platform. This is the only way to ensure you are not exposing sensitive transaction data of your customers over the internet.

2. Understand different HTTP request methods

Any of your requests your system sends to our platform follows the principles of the Hypertext Transfer Protocol. The HTTP protocol incorporates different methods to do so:

  • GET: The payment information is part of the URL which receives the data
  • POST (The payment information is part of the URL which receives the data)
  • POST (The payment information is in the HTML body)

However, the only fully secure way to send payment information to our platform is POST (The payment information is in the HTML body)
Have a look at this generic example to understand how this method works:

<form method="post" action="https://e-payment.postfinance.ch/ncol/test/orderdirect_utf8.asp" id=form1 name=form1>
<!-- the HTML form on your checkout page -->

<input type="hidden" name="PSPID" value="">
<input type="hidden" name="ORDERID" value="">
<input type="hidden" name="AMOUNT" value="">
<input type="hidden" name="CURRENCY" value="">

<input type="hidden" name="CARDNO" value="4111111111111111">
<input type="hidden" name="CVC" value="123">
<input type="hidden" name="ED" value="12/36">
<input type="hidden" name="CN" value="John Doe">

<input type="hidden" name="SHASIGN" value="">
<!-- Authentication parameters USERID/PSWD are added to the server code (see below) -->


<!-- the HTML form on your checkout page -->

Your server code (programming language used here: cURL) sending this HTML form (including authentication parameters userid/pswd) as a POST request
curl -i -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d 
'pspid=<pspid>&orderid=<orderid>&amount=<amount>&currency=<currency>&cardno=<cardno>&cvc=<cvc>&ed=<ed>&cn=<cn>&userid=<userid>&pswd=<pswd>'  https://e-payment.postfinance.ch/ncol/test/orderdirect_utf8.asp

Be aware of the following attributes:

  • "method" must be POST
  • "action" must only contain the endpoint URL

If you are working with our DirectLink solution, contact your integrator to ensure that your sales application uses the POST method.