How should my network be configured to work with Cayan's services

Home/Developers / Knowledge Base / FAQs / How should my network be configured to work with Cayan's services

As a security measure, many merchants restrict outbound communications from their networks - whitelisting traffic to just a handful of sites, such as their payment processor.

Below are all the necessary details for how a Network Administrator should configure his/her networks and firewalls to inter-operate with Cayan's services.

Data / Transaction Flow Diagram

The below diagram, excerpted from our Genius PA-DSS Eligibility Assessment, illustrates a common workflow between the Genius credit card terminal ("PED"), Cayan's Gateway, and the ISV's Point of Sale.

Genius-Data-Flow-Diagram.png
  1. The user initiates a transaction, and the third-party software sends a payment request with the amount and other information (but no cardholder data) to the Cayan Gateway.
  2. The gateway responds with a transport key.
  3. The third-party software sends the transport key to the PED using HTTP.
  4. The PED uses the transport key to retrieve the purchase amount from the Cayan Gateway.
  5. Cardholder data is collected by the PED and encrypted.
  6. The PED sends the encrypted data to the Cayan Gateway protected with HTTPS.
  7. The transaction response (e.g., authorized, declined) and other information is sent to the PED.
  8. The transaction response and other information is passed back to the third-party software.


Hosts:

  • transport.merchantware.net
  • genius.merchantware.net
  • ps1.merchantware.net
  • s01.merchantware.net
  • logupload.merchantware.net

Production IP Addresses

  • Cayan's Boston Data Center: 144.121.15.128 /26
  • Cayan's Chicago Data Center: 209.249.188.192 /26

Ports

Public internet:

  • 443: SSL
  • 7622: SFTP (via SSH)

Local area network:

  • 8080: POS (or Store & Forward) communication to a Genius terminal (HTTP)
  • 8443: POS communication to a Genius terminal (HTTPS)
  • 7500: default Store & Forward for all traffic represented by transport.merchantware.net
  • 7501: default Store & Forward for all traffic represented by ps1.merchantware.net
  • 7502: default Store & Forward for all traffic represented by genius.merchantware.net
  • 7503: default Store & Forward for Rest API that can be used to communicate with Store and Forward
  • 7504: default Store & Forward that services the Administration Website

Third Parties

Genius will reach out to our Certificate Authority (Digicert) in order to perform certificate revocation checks, and otherwise validate certificates, to prevent against "man in the middle" attacks. If you see traffic on your network to "*.digicert.com", that's what this is, and you may want to whitelist those domains.

Troubleshooting

As you lock down your network, you may run into issues, and prevent your Point of Sale from being able to communicate with Cayan's gateway, thus preventing your merchants from processing credit card transactions. We recommend that network engineers read this document, as well as Cayan's Service Availability Monitoring Best Practices guide, for how to test that their networks can communicate with Cayan's.

We recommend that network engineers confirm that they can load the health check pages mentioned in the Service Availability Monitoring guide. Please confirm that your network can communicate with both of Cayan's data centers. Cayan recommends that you run sequential tests, statically configuring DNS (eg. by modifying your hosts file) to point at our Boston and then Chicago data centers. Alter your DNS to force traffic to our Boston Data Center. Using a web browser running on your POS, confirm that you can load our health check pages. Then, modify your DNS to use our Chicago IP addresses, and re-confirm that you can load our health check pages.

If you encounter troubles connecting to Cayan's environment, please try repeating your test, using some neutral 3rd party site (eg. Google, Facebook, LinkedIn, ...). Once that is working, compare & contrast those settings with those you've implemented for Cayan's network.

We also suggest repeating any failed tests from an unrestricted network (eg. connected to a 4G LTE network) to help determine if the root cause is more likely to be with your network configuration than Cayan's. If you can connect from an unrestricted network, please examine your restricted network's configuration to ensure that all of NAT rules and ACLs are set up properly.

We also suggest using various common network troubleshooting tools & procedures to help diagnose any issues:

  • nslookup & ping - to ensure that you've resolved our FQDNs properly
  • traceroute - to ensure that your packets are making it to our data centers
  • telnet - to make a quick connection to our IP addresses
  • WireShark - to spy on your Point of Sale's traffic, and ensure that all TCP & SSL/TLS handshakes are occurring as expected

Warning: statically configuring DNS is only acceptable in a test/lab environment. Cayan manages its availablity using a DNS load balancing algorithm, with a low TTL. Cayan requires its merchants and ISVs to use public DNS to.resolve Cayan's FQDNs. Not doing so will void any SLAs that may be in place, and will likely lead to downtime outside of Cayan's control.

Chicago IPs

209.249.188.210 ps1.merchantware.net
209.249.188.217 genius.merchantware.net
209.249.188.218 transport.merchantware.net

Boston IPs

144.121.15.146 ps1.merchantware.net
144.121.15.153 genius.merchantware.net
144.121.15.154 transport.merchantware.net

Overseas Data Centers

Cayan's products are presently only available in the North Amercian marketplace. As a security measure, we've restricted inbound traffic to IP addresses in the USA and Canada. If you attempt to access our services outside of these countries - or from known public VPNs - your traffic may be blocked. We understand many of our partners have overseas development and testing teams who will need need access to Cayan's payment gateway. In these cases, we request that you reach out to your Sales Engineer or Business Development Manager to whitelist your IP addresses.