POS network requirements
The Adyen Point Of Sale (POS) solution is available in a number of shapes and forms, among which an iOS framework, an Android library and a Windows DLL.
This document is aimed at situations where a payment terminal, called a Pin Entry Device (PED) is connected to a merchant's network either via a fixed Ethernet connection or a wireless Wi-Fi connection and where the POS is also connected to the same network.
We describe what the networking requirements are for such a setup and covers solutions for issues that may surface by providing some recommendations and where the POS should be connected to the same network and solutions to common issues you may face while configuring this setup, and it provides recommendations and guidelines to avoid or mitigate them.
This document targets merchants who want to integrate and benefit from Adyen's point of sale payment solution.
It is aimed at merchant integrators who need to set up a PED solution, and connect it to the merchant's network.
We are committed to improving it continuously to make it accessible and easy to understand.
We appreciate your comments, and we'd love to hear your voice: drop us a line and share your thoughts with us!
Adyen POS Support Team
POS functional requirements
Basic functional requirements
There are three basic functional requirements:
- The PED should be able to exchange data with the Adyen payment system.
- The POS should be able to exchange data with the Adyen payment system.
- The PED and the POS should be able to exchange data.
The merchant's local network should support the above listed requirements for the Adyen POS solution to perform tasks. This implies that your network settings, and especially firewall rules should be configured accordingly.
The main use cases that need to be implemented in order to integrate with the Adyen POS system are; register application, register payment terminal and perform a sale transaction.
Allow outgoing HTTPS traffic
The merchant's local network, the PED, and POS are connected to should allow communication with the Adyen systems.
To ensure this, the merchant's firewall must be configured to allow outgoing HTTPS traffic from the IP addresses of the PEDs and POSs to the following domains:
Access to the Adyen payment solution ports
The Adyen POS solution by PED and POS uses the following ports:
These ports, on the defined IP addresses, should be accessible to the merchant local network.
No host isolation
Some routers have features as Wireless isolation, AP Isolation, Station Isolation, Client Isolation, or similar. Companies that operate wireless networks with public access often use these features.
These features confine and restrict clients connected to the Wi-Fi network:
They can’t interact with the devices connected to the more secure wired network.
They can’t communicate with each other.
They can only access the Internet.
Since the PED and the POS need to be able to communicate with each other, these features should be disabled.
Adyen recommends implementing POS solutions on a dedicated wireless network, especially one that is not mixed with public access, to enhance security and to guarantee performance.
Supported Wireless Access Points
Currently Adyen supports 2.4Ghz (802.11bn) networks.
At this moment 5.8Ghz (802.11an) networks are not supported, except for the Verifone VX 690.
Ensure that you have a working DNS server accessible from the local network.
The DNS server should in all cases be able to resolve both *.adyen.com and *.adyenpayments.com. Adyen uses a TTL of 60 seconds on its authoritative nameservers for DR purposes. Therefore, it is important that, if a caching nameserver is used, the TTL set by Adyen is honored.
WPA and WPA2 encrypted networks
Currently WPA2 encrypted networks are supported. WPA encrypted networks are supported on Verifone Wi-Fi PED’s as from version v1.11.
This implies that WEP encrypted networks are not supported.
Recommendations and best practices
Adyen strongly recommends using a dedicated network for payment transactions and related functions.
For example, payment terminals should not be connected to a public or guest network; instead a private, secured network should be used.
No hidden SSIDs
For security reasons, merchants should not make use of hidden SSIDs.
(Adyen’s Verifone PEDs v1.11 and higher do support hidden SSIDs to meet the requests of merchants who have not yet updated their network settings.)
IP address types
You can use both static and dynamic IP-addresses, however, Adyen recommends using dynamic IP addresses on the local network.
One should make sure that no devices on the local network have the same IP address, otherwise unpredictable results will occur.
A DHCP server should be used when defining static IP addresses. Static IP addresses will then be administered centrally in the network instead of defined on each device individually.
This removes the chance of two devices on the same network being assigned the same IP address.
If you can connect and authenticate but applications stall, time out, or fail to load, your MTU (Maximum Transfer Unit) may be incorrect.
We recommend to lower your MTU size until functionality is obtained. This applies especially in a set up involving VPNs.
IDS / IPS
This set up has the potential to disrupt encrypted traffic, such as SSL, and thus applies to the Adyen POS traffic.
If problems are encountered, such as heightened offline rates or other strange behavior, ensure the firmware and signature of the devices are up to date.
To diagnose observed interference temporarily disable this functionality.
3G router failover and UPS
If network availability is crucial and merchants are located in areas where network reliability and/or power grid reliability is an issue, the following two options can be considered:
- Many routers have an option for an automatic 3G failover. This means that whenever the network drops, connectivity is restored by using the 3G network as a failover option.
- When the power grid is not reliable enough, one may consider the use of uninterrupted power supplies.
WiFi with multiple access points
For mobile terminals that are used in a location where multiple Wi-Fi Access Points are installed and the terminal is supposed to be dynamically serviced by these multiple access points, Adyen recommends the following:
Configure the access points with the SSID of your network.
- Access the admin menu by pressing Enter + 9.
- Select Network config.
- Select WiFi:
- To ensure quick handoff between the various WiFi Access Points, enable roaming on the terminals. Tap roaming and select Yes.
- Tap band and select the required bandwidth.
In case the terminal support multiple bands (Example, Verifone VX690 supports 2,4GHz and 5GHz bands), select a fixed band for it.
Adyen recommends selecting one of the available WiFi bands to prevent switching between bands.
- Select WiFi:
Test that the terminal performs a correct handoff when switching between access points, switch to the WiFi tab on the terminal and walk around with the terminal.
Check the signal strength, and the mac as listed on the screen. The signal strengths vary depending on the distance to the nearest access point and the mac identifies the access point and indicates, when changed, when a switch occurs.
Some apps available on tablets show signal strengths of WiFi access points in the vicinity. These apps might be useful as well to verify WiFi coverage in the area where the terminals are used.
Before using POS systems and connected PEDs to process transactions on the Adyen platform, the PEDs should be authenticated and authorised (at least once) with the Adyen platform. The POS system should be able to communicate with the Adyen PSP (https:443 - Internet).
Authentication and authorisation of the POS is done by entering the Adyen provided credentials; after which the POS is authorised. The POS can then authenticate and authorise any PEDs that are connected to it.
Additional calls during transactions might happen between the Payment terminal (PED) and the Cash register (POS). They are communicated in the same way as in the steps StartTransaction (1) and TransactionResult(8) through https:8443 (LAN).