Checklist for Payment Gateway(PG) integration
- Always use HTTPS (secure) protocol for
- All payment gateway pages.
- Every internal/external API call.
- To load static and dynamic assets like css, javaScript etc.
- Merchant must be configured on the payment gateway end to accept Bharat QR based payments.
- Restrict / minimize use of external script / css on payment pages, if not avoidable, load it from local repository by making a local scanned/reviewed copy.
- Test page alignments and compatibility on all delivery channels like mobile, tab, laptop, tablets etc.
- Avoid client side redirect, all redirect and dynamic decision making should be done on server side.
- Protect pages from external threat refer https://www.owasp.org/index.php/Main_Page
- Do not accept amount from front end in case amount is fixed and should be paid fully. Recalculate amount at server side before PG redirection.
- On server side, always have a real-time transaction status validation check before completion of transaction to avoid false success. Real-time transaction status validation can be performed using status API provided by payment gateway providers.
- All back end API should be guarded by JWT token or any similar mechanism.
- Generate a unique transaction reference number to uniquely identify any transaction.
- Always maintain audit of request and response exchanged between user & checkout page, backend API and payment gateway provider API’s, request and response received from payment gateway etc.
- Never log user sensitive information in log files / in database, in case there is need to store any sensitive information it should be encrypted using strong encryption mechanism.
- Decide on page state logic like page expiry, session timeout, refresh support etc.
- Take help to perform security experts to perform web application penetration testing (WAPT) to ensure application security against vulnerability.
- Always use latest version –
- Software (technology stack)
- Operating system (patches if any)
- External scripts/libraries if any