Security
This section describes the following:
- Security requirements
- Separate API/MQI password
- Secret word
Security Requirements
All requests to the Automated Payments Interface (API) and Merchant Query Interface (MQI) must be standard HTTPS GET or POST requests; all endpoints accept both methods. The HTTPs protocol provides a secure means of verifying the program on the client host. Plain text HTTP requests are forbidden, and if the client sends an HTTP request to the server it will be denied.
Skrill recommends using POST for maximum security.
- Do not mix
GETandPOSTrequests. Choose which method to use and apply consistently. POSTparameters are encoded usingContent-Type: application/x-www-form-urlencoded.GETparameters are sent as part of the URL query string, for example: https://www.skrill.com/app/query.pl?action=status_trn&email=mb654@abv.bg&password=53903d217504eb37f3fdb0ce77610558&mb_trn_id=104627261.
If you currently do not send HTTPS headers for tracking reasons, you should be aware that this can be used as a loophole by potential website hackers.
Accept Request Header
The Accept request header field can be used to specify certain media types that are acceptable for the response to your HTTP request. If you are using Accept request headers in your API requests, please use */*, text/* or text/html.
Content-Type response header
Content type text/xml is returned in the response for all API endpoints.
Content type text/html is returned in the response for all MQI endpoints except Account history.
Content type application/vnd.ms-excel;charset=UTF-8 is returned for Account history endpoint.
Separate API/MQI Password
You will need to enable the API and/or MQI and set up an API/MQI password. You can also change the password.
To enable the API and/or MQI:
- Log in to Skrill Business Portal
- Go to Settings > Developer Settings
- Set API/MQI password using the toggle, type and confirm by clicking Save
- For each section, specify the IP address(es) or IP address range(s) of your server. This prevents payment or money transfer requests from other IP addresses if your secret word or API password is compromised. All requests from other IP addresses are denied. Access can be granted to:
- A single IP address (e.g. 145.76.160.206 using the example above)
- Multiple IP addresses, separated by space (e.g. 192.168.0.2 10.0.0.2)
- A subnet in CIDR notation (e.g. 192.168.0.0/24)
- Activate the API/MQI using the toggle
- Set Secret Word using the toggle, type and confirm by clicking the Save button
Your Secret Word must contain at least: 8 characters, 1 uppercase letter, 1 lowercase letter, and 1 number. CIDR ranges should be no longer than 256 IP addresses.
If the Settings > Developer Settings section is not displayed in your account, contact Skrill Merchant Services.