v2stech solutions pvt ltd logo

During payment gateway

checkout page development, developer will have to consider data security aspects so that it will pass PCI DSS code audits. We have listed down few of the checklist point that can be helpful during implementation and review process.

Checklist for Payment Gateway(PG) integration

  1. Always use HTTPS (secure) protocol for
    • All payment gateway pages.
    • Every internal/external API call.
    • To load static and dynamic assets like css, javaScript etc.
  2. Merchant must be configured on the payment gateway end to accept Bharat QR based payments.
  3. Restrict / minimize use of external script / css on payment pages, if not avoidable, load it from local repository by making a local scanned/reviewed copy.
  4. Test page alignments and compatibility on all delivery channels like mobile, tab, laptop, tablets etc.
  5. Avoid client side redirect, all redirect and dynamic decision making should be done on server side.
  6. Protect pages from external threat refer https://www.owasp.org/index.php/Main_Page
  7. Do not accept amount from front end in case amount is fixed and should be paid fully. Recalculate amount at server side before PG redirection.
  8. On server side, always have a real-time transaction status validation check before completion of transaction to avoid false success. Real-time transaction status validation can be performed using status API provided by payment gateway providers.
  9. All back end API should be guarded by JWT token or any similar mechanism
  10. Generate a unique transaction reference number to uniquely identify any transaction
  11. Always maintain audit of request and response exchanged between user & checkout page, backend API and payment gateway provider API’s, request and response received from payment gateway etc.
  12. Never log user sensitive information in log files / in database, in case there is need to store any sensitive information it should be encrypted using strong encryption mechanism.
  13. Decide on page state logic like page expiry, session timeout, refresh support etc.
  14. Take help to perform security experts to perform web application penetration testing (WAPT) to ensure application security against vulnerability.
  15. Always use latest version –
    • Software (technology stack)
    • Operating system (patches if any)
    • External scripts/libraries if any