Table of Contents
- Overview
- Prerequisites
- How to Setup IP Restrictions
- My merchant accidentally added the wrong IP Address, how can I assist them?
- Additional Notes
- Video Tutorial
Overview
IP Restrictions is a security feature available on all Gateway accounts. IP Restrictions allows the merchant to control who can access their gateway account. Merchants may enter the specific IP addresses and hostnames that are permitted to log in to their Merchant Portal and API. Merchants can set IP Restrictions to minimize the risk of unauthorized individuals accessing their account.
Prerequisites
The merchants user will need to have the 'Access Administrative Options' permission in order to be able to manage their IP Restrictions. Primary users have this permission set by default and it cannot be removed.
How to Setup IP Restrictions
When this feature is turned on, only devices and servers connecting from locations the merchant has authorized will be able to access their account. Please note that if the merchant is not able to use one of the locations on the allow list, they will not be able to access their account. The merchant will need to make sure they have all locations on the allow list before turning IP/Host Restrictions on.
- The merchant will need to log in to their Merchant Portal → click on Options → click on Settings → under "Security Options" → click on IP Restrictions.
- The merchant will want to take the IP address and/or range used to access their account and enter this into the text box under the “IP or Host to Allow” column.
- For those who are not sure of what their current public IP Address is, they will notice that it will be shown on the page next to “Your current IP address”. If they click on the “Add to allowlist” button, it will populate their current IP Address into the box under “IP or Host to Allow”.
- There are two checkboxes shown next to each “IP or Host to Allow” entry to configure which component (Control Panel or API) the merchant wishes to restrict access to. They can check one or both:
- Control Panel - the merchants portal. Setting restrictions to this will disallow logging in from a computer IP that is not added to the allowlist.
- API - Website/Application Access. Configuring any “API” restrictions will disallow transactions sent from a system whose IP Address has not been explicitly allowlisted. All systems that interact with the API should be configured to be allowed access.
Note: Setting IP restrictions on API access can impact transaction processing.
- Once the merchant enters the IP address and checks off which component to add it to, they will need to click on the '+' sign under the "Add" column to add the IP or Host to the allowlist.
- Based on the settings selected, the IP address/range configured will be populated under the “Allowlisted for Control Panel”, “Allowlisted for API”, or both.
- Once all the appropriate IPs/Hosts have been added, click the ‘ON’ button next to “IP/Host Restrictions are” to toggle the service on.
After IP Restrictions have been enabled, any attempt to log in or send transactions from a server or IP that has not been added to the allowlist will produce an 'Authentication Failed' message, regardless of the accuracy of the credentials.
My merchant accidentally added the wrong IP Address, how can I assist them?
If the merchant adding the incorrect IP Address to their IP Restrictions allowlist, they will not be able to access their Merchant Portal. You can disable the rule for the merchant through your Partner Portal.
- Log in to your Partner Portal and head over to List Accounts → search for their account → click on their name → under Merchant Users, click on Log in → click on Settings → under "Security Options" → click on IP Restrictions.
- From here, you will be able to disable the rule that is preventing the merchant from logging in by clicking on the '-' sign under the Remove column.
Additional Notes
- Merchant IP Restrictions will bypass Device Recognition for merchant accounts. If the Merchant has IP Restrictions on, they will no longer need to present a one-time passcode that is emailed to them as a second factor of authentication as IP Restrictions is another strict method of preventing unwanted access to their account.
- A merchant can add as many IP addresses or IP ranges as they want.
- Restrictions are activated when at least one IP address has been added for the method of connection. For example, if four IP addresses are added for the Control Panel, but no IP addresses are added for the API, then Control Panel access will be limited but the API access will not.