API Security Update: Credential and Payment Data Handling
Overview
As part of our commitment to PCI DSS compliance and protecting your customers' sensitive data, we are implementing stricter security controls on our Legacy and JSON API endpoints.
⚠️ Enforcement Date: March 31, 2026 - After this date, non-compliant API requests will be blocked.
If your integration passes authentication credentials or payment data in URL query strings, you must update your implementation before the enforcement date.
What is Changing
We are enforcing a security control that blocks API requests containing sensitive data in URL query strings. This is a PCI DSS requirement to protect cardholder data.
Why This Matters
Passing sensitive data in URLs creates security risks:
URL logging - Web servers, proxies, and browsers may log full URLs
Referrer headers - URLs can leak to third-party sites via HTTP Referer headers
PCI DSS compliance - PCI DSS prohibits transmitting cardholder data in URLs
What Will Be Blocked
Authentication credentials in query strings -
usernameandpasswordparameters in the URLSensitive payment data in query strings - Credit card numbers in the URL (e.g.,
new_order,authorize_paymentmethods)
Error Response
Blocked requests will receive:
HTTP 400 Bad Request errorFound=1&responseCode=700&declineReason=Insecure request blocked
Affected APIs and Parameters
Authentication (All Endpoints)
The following authentication method is no longer accepted:
https://[your-instance].sticky.io/admin/transact.php?username=myuser&password=mypass&...
Blocked Parameters by API
API | Method | Blocked Parameters |
membership.php |
|
|
membership.php |
|
|
membership.php |
|
|
membership.php |
|
|
membership.php |
|
|
transact.php |
|
|
transact.php |
|
|
v2 API |
|
|
How to Update Your Integration
Step 1: Update Authentication Method
Option A: HTTP Basic Authentication (Recommended)
Using curl:
curl -X POST "https://[your-instance].sticky.io/admin/transact.php" \ -u "your_username:your_password" \ -d "method=NewOrder" \ -d "campaignId=123" \ -d "creditCardNumber=4111111111111111"
Using PHP:
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://[your-instance].sticky.io/admin/transact.php");
curl_setopt($ch, CURLOPT_USERPWD, "your_username:your_password");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
'method' => 'NewOrder',
'campaignId' => '123',
'creditCardNumber' => '4111111111111111',
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
Option B: Credentials in POST Body
curl -X POST "https://[your-instance].sticky.io/admin/transact.php" \ -d "username=your_username" \ -d "password=your_password" \ -d "method=NewOrder" \ -d "creditCardNumber=4111111111111111"
Step 2: Move Sensitive Data to POST Body
❌ Before (BLOCKED):
POST https://[your-instance].sticky.io/admin/transact.php?method=NewOrder&creditCardNumber=4111111111111111
✅ After (CORRECT):
curl -X POST "https://[your-instance].sticky.io/admin/transact.php" \ -u "your_username:your_password" \ -d "method=NewOrder" \ -d "creditCardNumber=4111111111111111" \ -d "expirationDate=1225" \ -d "CVV=123"
Step 3: Test Your Integration
Update your development/staging environment first
Verify all API calls use POST body or Basic Auth for sensitive data
Test error handling for the new HTTP 400 response
Deploy to production before the enforcement date
Migration Checklist
Use this checklist to ensure your integration is compliant:
Credentials - NOT in URL query strings
Authentication - Using HTTP Basic Auth OR credentials in POST body
Card numbers - Sent in POST body only
Member passwords - Sent in POST body only
Error handling - Updated to catch HTTP 400 / responseCode=700
Testing - Completed in staging environment
Deployment - Scheduled before enforcement date
Frequently Asked Questions
General
Why is this change necessary?
PCI DSS (Payment Card Industry Data Security Standard) requires that cardholder data and authentication credentials not be transmitted in URLs. This change ensures our platform and your integration remain compliant.
Will this affect my existing transactions?
No. This change only affects how API requests are made. Existing transaction data and customer records are not impacted.
What if I don't update my integration?
After the enforcement date, API requests with sensitive data in the query string will be rejected with HTTP 400 and responseCode=700.
⚠️ Your transactions will fail until your integration is updated. This means no orders will process until the fix is in place.
Technical
How do I know if my integration is affected?
Check your API integration code for:
usernameorpasswordparameters in the URLcreditCardNumber,cc_number, orcard_numberin the URLAny sensitive data appended to the endpoint URL
Can I use both Basic Auth and POST body credentials?
We recommend using HTTP Basic Auth for authentication. If you include credentials in both places, Basic Auth takes precedence.
Will HTTPS protect data in the URL?
While HTTPS encrypts data in transit, URLs can still be logged by servers, stored in browser history, and leaked via referrer headers. POST body data is not subject to these risks.
What about GET requests?
GET requests should not be used for operations that include sensitive data. Use POST for all transactions and operations involving cardholder data.
Support
Who do I contact if I have questions?
Contact our support team for technical assistance with updating your integration.
What if I need more time to update my integration?
Contact support as early as possible if you anticipate delays. We will work with you to ensure a smooth transition.
Additional Resources
sticky.io API (v1) Documentation - JSON API reference
sticky.io API (v2) Documentation - RESTful API reference
API Help Articles - Tutorials and examples
PCI DSS v4.0 Resources - Official PCI Security Standards Council