checkout page development, developer will have to consider data security aspects so that it will pass PCI
DSS code audits. We have listed down few of the checklist point that can be helpful during
implementation and review process.
Checklist for Payment Gateway(PG) integration
Always use HTTPS (secure) protocol for
All payment gateway pages.
Every internal/external API call.
Merchant must be configured on the payment gateway end to accept Bharat QR
Restrict / minimize use of external script / css on payment pages, if not avoidable, load it
from local repository by making a local scanned/reviewed copy.
Test page alignments and compatibility on all delivery channels like mobile, tab, laptop,
Avoid client side redirect, all redirect and dynamic decision making should be done on server
Do not accept amount from front end in case amount is fixed and should be paid fully.
Recalculate amount at server side before PG redirection.
On server side, always have a real-time transaction status validation check before completion
of transaction to avoid false success. Real-time transaction status validation can be
performed using status API provided by payment gateway providers.
All back end API should be guarded by JWT token or any similar mechanism
Generate a unique transaction reference number to uniquely identify any transaction
Always maintain audit of request and response exchanged between user & checkout page, backend
API and payment gateway provider API’s, request and response received from payment gateway
Never log user sensitive information in log files / in database, in case there is need to
store any sensitive information it should be encrypted using strong encryption mechanism.
Decide on page state logic like page expiry, session timeout, refresh support etc.
Take help to perform security experts to perform web application penetration testing (WAPT)
to ensure application security against vulnerability.
I have worked with V2Stech for a number of years and 2 companies. The relationship started by
V2Stech building a proof of concept in a limited time to test their abilities. They passed with
flying colours. I have been working with the ever since.
At my current organisation they have become my trusted IT partner, performing all of the
functions that a normal it company would do, including IT support, server set-up, server
maintenance and of course software development and support. We have a very close working
relationship based on trust, delivery performance and mutual understanding.
Like with any offshore company, success and real benefit comes as a result of building a
working relationship and process. This process is well managed by a seasoned team in Mumbai
who have worked in the UK and understand the cultures and drivers in the UK. They understand
the need to get it right first time and are disappointed if they don’t. They will work hard,
long hours to help your business become successful and are always on hand to provide
With me they have developed complex java solutions, high quality web based UI and mobile
applications on iOS and Android. They have taken on Projects as well as support and
development resourcing. The team has flexed up and down over the years and we work to ensure
that we have the right resources when we need them.
If you want to get started with an offshore company to drive through benefits of a flexible,
talented and cost effective resource pool, then I would recommend V2Stech. With them you
will reap the benefits quicker and the will find them a pleasure to work with.