Best Practices

Security Best Practices

Ensure secure integration and data handling with PayOS

Overview

Security is a critical aspect of any payment processing solution. PayOS enforces strict security protocols to ensure that merchant and customer data is protected throughout the transaction lifecycle. This document provides security best practices to follow when integrating PayOS into your system.

API Key Management

  • Rotate API Keys Regularly:

    • Regularly rotate your API keys to minimise the risk of compromised credentials.
    • Use the PayOS dashboard to generate and deactivate API keys as needed.

  • Restrict API Key Permissions:

    • Limit each API key to only the permissions necessary for its intended use.
    • Avoid using a single API key across multiple environments or services.

  • Keep Keys Confidential:

    • Store API keys securely and avoid hardcoding them into source code.
    • Use environment variables or secure vault services to manage keys.

PCI Compliance

  • Understand PCI-DSS Requirements:

    • Merchants handling card data directly must comply with PCI DSS.
    • If using direct API integrations and capturing card details, ensure your system is PCI-certified.

  • Use Tokenization:

    • Tokenize sensitive data such as card details to minimize PCI scope.
    • PayOS provides built-in tokenization to replace raw card data with secure tokens.

Data Encryption

  • Encryption in Transit and at Rest:

    • Ensure all communication with PayOS uses HTTPS to protect data in transit.
    • PayOS encrypts sensitive data at rest to prevent unauthorized access.

  • Secure Storage Practices:

    • Do not store sensitive payment information locally unless absolutely necessary.
    • Use the tokens provided by PayOS for subsequent transactions instead of storing card details.

Authentication and Access Control

  • Enforce Multi-Factor Authentication (MFA):

    • Use MFA for your PayOS dashboard accounts to add an additional layer of security.

  • Role-Based Access Control (RBAC):

    • Limit access to sensitive data and features based on user roles.
    • Review and update access permissions periodically to avoid unnecessary access.

Example: Securing API Calls with HTTPS

Ensure all API calls are made over HTTPS to prevent data leakage. Example of a secure API call:

$curl -X POST https://api.payos.money/api/v1/transactions -H 'Authorization: Bearer {API_KEY}' -H 'Content-Type: application/json' -d '{
>  "amount": 10000,
>  "currency": "USD",
>  "payment_method": "card",
>  "description": "Test Payment"
>}'

Monitoring and Alerts

  • Monitor for Suspicious Activity:

    • Use the PayOS dashboard to track unusual API activity or payment patterns.
    • Set up notifications for failed login attempts or rate limit breaches.

  • Webhook Security:

    • Validate webhook signatures to ensure the authenticity of webhook events.
    • Use TLS encryption for webhook endpoints to secure event data.

Handling Security Incidents

  • Incident Response Plan:

    • Prepare a plan for handling security incidents, including compromised keys or unauthorized access.
    • Revoke compromised API keys immediately via the dashboard.

  • Notify PayOS Support:

    • In case of a security breach affecting PayOS integration, contact support immediately for assistance.

Conclusion

Maintaining security in your PayOS integration requires a proactive approach. By following these best practices for API key management, encryption, PCI compliance, and monitoring, merchants can minimize risks and ensure the safety of customer data.