Choose Your Gateway Security Model
The Mastercard GatewayAPI supports two models of authentication - merchant certificates or passwords. Each model has its advantages and disadvantages, depending on your integration you may need to select features that are only offered by one model. Whilst it's mandatory that you choose one authentication model, you may be restricted to a particular model based on your merchant privileges.
About password-based authentication
With password-based authentication, merchants present a password to uniquely authenticate themselves on the gateway. The password is generated by the system using industry-standard techniques to ensure optimum security. Password enables secure access to the gateway via the API or Batch thereby establishing a secure channel for the merchant application to communicate to the gateway.
About certificate-based authentication
With certificate-based authentication, merchants present an SSL certificate to authenticate themselves. The SSL certificate is used to both identify the merchant and encrypt communications between the merchant application and the API through to the gateway. The HTTP Server and the API validate the SSL certificate using various resources. If the certificate is not successfully validated, the SSL connection is refused.
Rolling between password-based authentication & certificate-based authentication
Occasionally, your business may require you to roll from one authentication model to the other. To coordinate all of the activities involved in upgrading a merchant integration to occur at the same time as changing authentication modes in the system is not a feasible task. Rolling helps you and your payment service provider to setup an interim configuration that supports both old and new authentication modes, and allows you to upgrade your integration at your convenience. This facilitates changing authentication modes without any loss of service or connection failure and does not require all integrations to be changed concurrently.
For more information on how to roll between authentication modes, see API Configuration in the Merchant Manager User Guide.