How to Block Specific Ip Addresses From Processing Transactions Through Your Easy Pay

Network configuration

Recommendations for configuring your network.

When you make a point-of-sale transaction, your POS app, terminal, and Adyen need to be able to communicate with one another. The flow of this communication depends on whether your integration uses local or cloud communications. To enable this communication, you need to configure your network to allow access to specific ports and addresses.

Network communications flow

When you make a transaction, your integration uses one of the following communications flows:

Local communications.
Cloud communications.

Local communications

Cloud communications

Communications security

In accordance with PCI-DSS requirements, we use Transport Layer Security (TLS) 1.2 for secure data transmission over the internet.

TLS 1.0 and 1.1 deprecation

In September 2022, with terminal software version 1.81, we will deprecate TLS 1.0 and 1.1. This means that if you are still using TLS 1.0 or 1.1 for local communications, terminals on automatic update will stop processing transactions as soon as they update to v1.81.

If you are using cloud communications, nothing changes because our cloud endpoints don't accept TLS versions below 1.2.

Terminals that do not update automatically to v1.81 will still be able to process transactions using TLS protocols lower than 1.2. However, TLS 1.0 and 1.1 will be completely deprecated by February 2023, so make sure to update as soon as possible.

Check your current TLS library version and cipher suite

If you are using the latest version of your operating system, you are probably already using TLS 1.2 or 1.3 protocols. If you are not sure, check the TLS library version and cipher suites of your operating system:

Windows: to list the supported cipher suites, open the PowerShell terminal and use the command Get-TlsCipherSuite . For TLS versions supported on your Windows OS, refer to TLS protocol version support.
OS X / iOS: for supported TLS protocol versions and cipher suites, refer to Apple Platform Security documentation.
Linux / Unix: to list the cipher suites with the supported TLS protocol version, open a shell terminal and use the command openssl ciphers -v | column -t.

You can use websites like ciphersuite.info to learn more about ciphers suites. For example, you can filter the list of cipher suites by TLS Version.

Supported ciphers

When you upgrade to TLS protocol version 1.2, make sure you use one of the following ciphers:

TLS 1.2 AES256-GCM-SHA384
TLS 1.2 AES256-SHA256
TLS 1.2 AES128-GCM-SHA256
TLS 1.2 AES128-SHA256

Configuring your network

To configure your network for point of sale communications:

If you need to allowlist IP addresses, add Adyen's domains to your firewall's allowlist.
Configure your firewall to allow outgoing HTTPS traffic from the IP addresses of your POS apps and terminals to:
- *.adyen.com
- *.adyenpayments.com
Allowlisting should be based on the DNS name of these URLs. Your firewall should dynamically check for IP address updates, at least every 60 seconds.

Do not hard-code Adyen's IP addresses, as these can change over time. We do not share a list of our IP addresses publicly.
Open the ports:
- tcp/443 to the internet.
- tcp/8443 on your LAN.
If your integration uses local communications:
- Ensure that your terminal and POS app are connected to the same local network.
- Protect the communications between your POS app and the terminal.
If you are using a legacy setup where the cash register and the terminal communicate over a serial connection, use hardware flow control.

Configuring the terminal IP address

To send payments for online authorisation, the terminal must have a valid IP address. There are several ways to assign an IP address to a terminal:

Dynamic IP: your DHCP server issues an IP address to the terminal on the fly.
DHCP reservation: on the DHCP server, you bind an IP address to the terminal's MAC address. The DHCP server then assigns the exact same IP address to the terminal each time. This is an alternative to using static IP addresses, especially if you're dealing with a large number of terminals.
Static IP: you enter the IP address and other network configuration details manually on the terminal.

It's not possible to configure an IP address from the Customer Area.

You can't use a mix of dynamic and static IPs. The IP address of the terminal and the IP addresses of the DNS server and router must be either all dynamic, or all static.

By default, DHCP is enabled on the payment terminal. With this setting, your DHCP server issues an IP address to the terminal, either dynamically or through DHCP reservation (if you've set that up). If you are using a V400m with a Bluetooth base station, the base station too has DHCP enabled and receives an IP address from your DHCP server.

Recommendations

If it is possible to set the DHCP lease time on the DHCP server, set this to 24 hours or more. The lease time is the time that the terminal keeps an IP address before the DHCP server renews the terminal's lease on the IP address.
In an integration with cloud communications, you should use dynamic IP addresses without DHCP reservation.
In an integration with local communications, you should either use DHCP reservation, or manually configure static IP addresses.

Defining a static IP address

If you have an integration with local communications and can't use a DHCP server with DHCP reservation, you need to disable DHCP and define a static IP address for the terminal.

On the connected terminal, open the Admin menu.

Select Network and then, depending on your connection type:

Connection type	Select
Wired	Ethernet.
Wireless	Wi-Fi > select your Wi-Fi network > IP Settings.
Bluetooth	Bluetooth > select the external device > IP Settings.

In IP Settings, turn off the DHCP toggle switch.
Enter your network details. To type a period (.), press 1 twice. Specify the following:
- IP address of the terminal - this must be unique in the network
- Subnet mask of the network
- IP address of the router
- IP addresses of the preferred DNS server and the alternate DNS server
Select the check mark (or Apply in some cases) to confirm.

Assigning a static IP address to the base station

If you are using a V400m with a Bluetooth base station, the most common scenario is to use a static IP address for the terminal and a dynamic IP address for the base station. If you want to use a static IP address for the base station, proceed as follows:

On a laptop that is connected to the local network or VLAN, in your browser, go to https://[IP address of your base station].
You are redirected to the Verifone portal.
Log in with your username and password for the base station.
Go to Configuration > Ethernet.
In the Connection Type drop-down menu, select Static.
Enter the IPv4 Address, the Subnet Mask, the Gateway, the DNS 1, and the DNS 2.
The Connection Speed should remain on Auto. The static IP address must be unique in the network and, if you have more than one base station, unique for each base station.
Select Save.

General networking recommendations

To prevent network issues from interfering with your point of sale transactions, we recommend that you:

Use a segmented network, dedicated to point of sale communications.
Make a DNS server accessible from your local network. This should be able to resolve *.adyen.com and *.adyenpayments.com.
If you use a caching name-server, the Time to live (TTL) set by Adyen must be honored (60 seconds for Disaster Recovery).
Follow our guidelines for IP address configuration.
If you use intrusion detection (IDS) and prevention systems (IPS), ensure they are using up-to-date firmware and signatures. If these are out of date, the encrypted communications used by your integration may be disrupted.
Connect the whole POS system, including the terminals, to an uninterrupted power supply (UPS).
Use a cellular backup connection by:
- Having an automatic cellular failover on your main router.
- Using terminals that have a built-in cellular connection, such as a portable or mobile terminal.
If the network connection is fine but you are noticing issues with terminals and payments that seem to point to network connection problems, see Dropped network packets when the internet connection is available.

Wi-Fi recommendations

To connect your payment terminals over Wi-Fi, your access point needs to support:

WPA/WPA2-Enterprise encryption, or WPA/WPA2-Personal encryption.
2.4Ghz or 5Ghz frequencies.

In addition, we recommend that you:

Configure a remote Wi-Fi profile from your Customer Area, under Point of sale > Terminal settings > Connectivity.
To use Enterprise encryption, using a remote Wi-Fi profile is mandatory.
Use a dedicated private wireless network.
If your integration uses local communications, disable the Wireless Isolation, AP Isolation, Client Isolation, or other similar features on your access point.

Note that when the terminal indicates it is connected to your Wi-Fi network, this doesn't necessarily mean that it is connected to the internet. There can be issues with the connection from your Wi-Fi network to the internet.

Handling loss of internet connectivity

When a transaction is declined because of a network connection issue, the error condition you receive for the transaction is UnreachableHost.

There are several ways you can continue making transactions when your primary internet connection is unavailable. These are:

Use a cellular failover connection. When your primary internet connection fails, transactions are processed using the cellular connection of either a 3G/4G payment terminal or a cellular router.
Enable offline transactions. This will allow you to continue processing transactions when your store has no internet connection.

Offline payments are only available for integrations that use local communications.

You are fully liable for the risk of failed captures, chargebacks, and disputes related to offline payments.

Using a proxy

Adyen-supplied payment terminals do not support proxy connections. If your network uses a proxy, allow your terminals to bypass the proxy and connect directly to the Adyen payments platform.