Offline Data Hosting in the EU

About File Transfer (Offline Data Hosting)

The account information of banks is provisioned to SurePay via encrypted files (*.PGP) through SFTP (Secure File Transfer Protocol), which are pushed periodically to a location provided by SurePay. This offline data hosting method ensures secure transmission of sensitive data. The files should be uploaded encrypted and will be stored encrypted in the system, ensuring data protection at all times. When an account that was previously provisioned to SurePay is missing in a subsequent file, it will be deleted from the SurePay database. A request containing the corresponding IBAN will generate the response 'IBAN inactive,' indicating the account's removal from the system.

Document History

VersionDateDescription
1.015 Jan 2025Original Digital Version. Aligned with PDF V1.1
1.110 Feb 2025Added 'Environments' section, updated 'Delivery Format' section, added 'Checklist' section

How does it work?

The SurePay data hosting system processes the uploaded data files once they are placed in the appropriate location. The system then merges the information into its dataset, allowing for efficient retrieval and access to account information.

It's important to note that this interface supports deliveries of full datasets only. Incremental updates are not supported, meaning that the entire dataset needs to be provided in each delivery. This ensures consistency and eliminates the need for partial updates. SurePay will only store the bank's files until the processing is completed. Once the files have been processed, they will be deleted from the system. Throughout the entire process, encryption measures, both at rest and in transit, are applied to maintain data security. This ensures that the files remain encrypted during storage and are only decrypted as part of the data processing phase, providing end-to-end protection.

Environments

SurePay operates in two environments:

  • Acceptance or Pre Production environment for testing purposes (ACC)
  • Production environment (PRD)

Initially, the connection is established to the acceptance environment. This serves as a mid-stage process to guarantee that the data provided by the customer and the quality of the responses are processed as expected. It allows for thorough testing and validation of the integration before proceeding to the production environment.

During the testing phase, SurePay will provide the PSP with an endpoint and a username specific to the acceptance environment. The PSP should use the designated private SSH key associated with the acceptance environment for the SFTP connection.

Connection

  • The files are uploaded to SurePay using the Secure File Transfer Protocol (SFTP), ensuring a secure data transmission process.
  • The communication between the PSP and SurePay is protected by the SSH protocol, which provides a secure channel.
  • For authentication, a 4096-bit private key is used. It is essential that the PSP generates a compatible key pair that can be used with an AWS SFTP Server.
  • The PSP then shares the public key with SurePay to enable a secure connection.

Delivery format

To start with the delivery format it is relevant to understand the structure of the folder and files expected from both sides when the connection has been established.

Folder structure

For data hosting, each PSP will have their own dedicated folder on SurePay's SFTP (Secure File Transfer Protocol) server. The main accounts file should also be loaded directly into the PSP’s home directory.

  • The PSP must configure /AccountFiles as the destination directory of the SFTP connection.
  • Note: Creating any new directories under the home directory by the PSP is not possible. All files will be placed directly within the home directory.

File delivery frequency and timing

Files should be delivered at least daily to SurePay. The frequency of the file delivery is currently set to one, up to a maximum of two files a day depending on the size. If the PSP would like to extend this frequency further, please contact your Implementation Manager.

File delivery for multiple countries

All data hosted by SurePay is strictly segregated per PSP and per country. A PSP with activities in multiple countries, will have to establish a separate SFTP connection and send a separate data file for each country they operate in.

PGP key-pair for signing

PGP (Pretty Good Privacy) signing involves using the private key of the PGP key pair created by the PSP to generate a digital signature for a file or a message. This signature provides a way to verify the authenticity and integrity of the data. The PSP will sign the file using the private key. The public key will be shared with SurePay for verification after receiving the file.

PGP key-pair for file encryption

A PGP key-pair generated by SurePay is used for data encryption during the offline data provisioning process between the PSP and SurePay. The use of PGP key-pair encryption provides an added layer of security, ensuring that sensitive account information remains protected during transmission and storage. The PSP will encrypt the file using the public key shared with them by SurePay. Once the file is received by SurePay, they will decrypt the file using the private key.

Checklist

The PSP will share the following with SurePay:

  • Public SSH key
    Length: 4096 bit
    Protocol: openSSH
  • Public PGP key for signing
    Length: 4096 bit
    Protocol: openPGP
    2 year expiration date
  • Email address for notification emails

SurePay will share the following with the PSP:

  • SFTP username
  • SFTP connection underlying
  • Public PGP key for encryption
    Length: 4096 bit
    Protocol: openPGP
    2 year expiration date

We always look to improve the implementation experience of our customers, so if you have any questions or feedback on the documentation or the process, please let us know at info@SurePay.nl.

Previous
Next