To improve the security of our clients and their end users we have decided to actively disable the Direct payment method provided by the Ebizmarts Sagepay suite. The Ebizmarts Sagepay suite, both the free and the Commercial version is a popular Payment Method for many magento merchants. It offers 3 methods of accepting payment methods.
Form. This is the safest method of integration. The end user leaves the merchants sites and enters all payment details directly into Sagepays website. All PCI responsibility is passed to the gateway.
Server. This is an ‘iframe’ which sites within your checkout page and again payment information is entered directly into Sagepay while looking part of your website.
Direct This is an API payment method whereby payment is collected on your website and then sent to Sagepay.
It is against our terms and conditions to use API based payment methods.
Unless you know specifically to the contrary your PCI requirements will not cover your business to use API based payments.
Directly payments specifically has become a popular form of attack against websites. Payment methods are switched by the attacker from Server or Form to Direct and card information is captured when entered.
For this reason we have decided to actively disable all Direct integrations at the database layer starting the 1st April 2018.
Ebizmarts have already disabled Direct integration in Version 4.2.6 of Sagepay suite.
It is quite straightforward to disable Direct Payments and switch to Server or, ideally, Form.