Note: This FAQ is aimed at developers and server administrators. For a merchant-focused FAQ, please visit https://www.authorize.net/support/akamaifaqs/.
1) Will Authorize.Net switch all API endpoints to Akamai SureRoute?
We are no longer planning on switching all API endpoints to Akamai SureRoute. We will not require merchants to switch to Akamai as previously announced.
We still recommend that merchants use the Akamai SureRoute endpoints, listed below, to reduce network disruptions outside of Authorize.Net's control.
2) Which API endpoints use Akamai SureRoute?
Currently, these API endpoints use Akamai SureRoute:
Production:
Sandbox:
All other API endpoints, do not use Akamai SureRoute.
3) Are there firewall considerations to bear in mind?
Akamai SureRoute depends on an ever-changing and ever-growing list of IP addresses, to such a degree that conventional, IP-address based firewall rules will not be possible.
According to PCI DSS 3.1, Requirement 1.2.1 states:
“Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.”
While some interpret this to mean destination IP addresses must be whitelisted, most Qualified Security Assessors (QSAs) recommend a variety of controls that do not require explicit destination IP addresses.
Sufficient controls under Requirement 1.2.1 include:
- Whitelisting Authorize.Net domains in the web server tier;
- Proxies behind the firewall which whitelist Authorize.Net domains;
- Third-generation firewalls, combined with the above, setting outbound traffic to “ANY”;
- Fourth-generation firewalls which whitelist Authorize.Net domains.
These may be used in conjunction with a network Demilitarized Zone (DMZ) to insulate your infrastructure from the greater Internet. As a reminder, a DMZ is required by PCI DSS if you handle payment data in your production environment, and is a security best practice if you handle sensitive data of any sort. For more details please read the document, “PCI Card Production – Logical Security Requirements.” Please also contact your solution provider or developer to confirm whether the DMZ requirement applies to your situation.
4) Are Authorize.Net domain certificates different on Akamai SureRoute?
All of our API endpoints use EnTrust SHA-256, 2048-bit certificate, and will likely continue to do so for the near future.
5) When I try one of the API endpoints on Akamai SureRoute, I get an HTTP 403 Forbidden error.
Akamai SureRoute actively filters their network for possible threats. While the vast majority of traffic should not be impacted by these filters, there are possible cases where an API call may result in a 403 Forbidden error.
You can identify that these errors are caused by Akamai if it includes the header, "Server: Akamai GHost," in the HTTP response.
Should this happen, please capture the HTTP headers and body you sent and received. In particular, there may be a Reference # listed in the response body, but full HTTP headers are useful for determining the time and conditions of the connection.
Once you have captured the HTTP data, mask any sensitive details such as Transaction Keys, card numbers, check routing/account numbers, and CVV2. Then provide the HTTP data to the Authorize.Net department as follows for further troubleshooting:
Sandbox Support – Please use the Developer Community Contact Us page to report the issue and share the HTTP data you received,
Production Support – Please log into the Merchant Interface and click “Contact Us” to create an eTicket, and share the HTTP data you received. We recommend putting the HTTP data in a document and attaching it to the eTicket. To ensure your data is handled sensitively, we can only accept the HTTP data through eTicket at this time.