Offline Payment API service is protected for only authorized merchants with a hardened platform to secure payment data transmission.
Below are the security measures used by PG to process the Offline Payment API.
● Secure Sockets Layer (SSL) data transport
It’s required to use HTTPS for all interchange messages between merchants and the payment gateway. This is to prevent any sensitive data being revealed by an unauthorized party during message exchange.
● Transport Layer Security (TLS)
It’s a protocol that provides authentication, privacy, and data integrity between two communicating computer applications. Used for web browsers and other applications that require data to be securely exchanged over a network. The required TLS for this API is TLS 1.2 & above.
● IP Address Filtering
Merchant or partner is recommended to register and get their server’s static IP address whitelisted at the payment gateway if heavy traffic is expected.
● Data Message Protection (Signature)
This is an application layer security in ensuring data integrity. All data in the message exchange will be hashed using a unique Secret Key and output as Signature. Secret Key is assigned to merchants during account creation. Payment gateway will validate this Signature to prevent any data tampering during the message exchange. It’s also STRONGLY recommended for merchants to perform the same validation for all response messages received from payment gateway.