For our API implementations our customers are using postbacks to proactively process the transaction status.
We never recommended nor supported to perform IP address whitelisting for security, but some customers might use this method.
From end of February we will move our postback services and introduce flexible IP's. So any customer that still has this IP whitelisting configured , this is NOT POSSIBLE anymore from the end of February. Customers can use the checksum method.
Because we want to improve our security all the time we will introduce a new possibility to validate if the postback messages are coming from our environment. We will make it possible to configure security authorization headers in Q1.
See the full message and explanation of the new feature here.