ravelinjs will be served onto your customers’ browsers, and if you are using client-side encryption, it will operate on your customers’ card details. Therefore, it is our joint responsibility, to ensure we are all diligent in securing and protecting this library from tampering or abuse.
Our recommendation for securely serving ravelinjs is to include the file as part of your site’s build/bundle process, ensuring the contents are available locally on your hosting server, alongside the rest of your site content, ideally version controlled alongside your site’s code as well.
Here is our recommendation for securely integrating ravelinjs into your site:
When Ravelin generates your public RSA key, we do so with the understanding that:
Ensuring the above steps are taken helps protect the integrity of this key and the data it encrypts. Ravelin are able to rotate your RSA key pairs either at your request, after a cryptoperiod of 3 years, or if we determine any of the above steps to not have been followed. Key rotations are performed by Ravelin, but will require a client-side update to replace the old public key with the new.
As part of our yearly PCI compliance audit, we audit the contents of our ravelinjs library to ensure the code contained with in is secure and that the cryptographic implementations are correct. We’ve open-sourced the library to ensure the code is visible to all interested parties. If you wish to see any of our PCI compliance certificates or have specific questions regarding the security of ravelinjs, please contact us at