Integration Guide
Security Best Practices Encryption, PCI-DSS compliance, PIN security, webhook verification, and IP whitelisting for M2P integrations.
Layer Standard Details In Transit TLS 1.3 All API calls over HTTPS At Rest AES-256 All sensitive data encrypted in storage PIN Management HSM (Thales/Utimaco) Hardware Security Module for PIN operations Card Data PCI-DSS Level 1 Full PAN never exposed in logs or responses JWT Tokens RS256 RSA-signed JSON Web Tokens
Requirement Implementation No PAN in logs Card numbers masked in all system logs Encrypted storage All card data encrypted at rest Tokenization Full card details returned only via dedicated secure endpoint with OTP Access control Role-based access with audit trail Network segmentation Card processing in isolated network zone
Never log or store full card numbers (PAN), CVV, or PIN data in your systems. Use the masked card number (XXXX1234) from API responses for display purposes.
Operation Security Measure Set PIN RSA-encrypted before transmission Change PIN Requires current PIN + OTP verification Validate PIN Read-only check, no PIN change Failed Attempts Account locked after max attempts (configurable, default: 3) PIN Storage HSM-managed, never stored in plaintext
Verify webhook origin using signature validation:
Method Details IP Whitelisting Whitelist M2P webhook delivery IPs Signature Verification Validate X-M2P-Signature header using HMAC-SHA256 HTTPS Only Only HTTPS endpoints accepted TLS 1.2+ Minimum TLS version for webhook endpoints
const crypto = require ( 'crypto' ); function verifyWebhookSignature ( payload , signature , secret ) { const expected = crypto . createHmac ( 'sha256' , secret) . update ( JSON . stringify (payload)) . digest ( 'hex' ); return crypto. timingSafeEqual ( Buffer. from (signature), Buffer. from (expected) ); } Check Recommendation Credential storage Use environment variables or secret managers Token caching Cache JWT tokens, refresh before expiry Credential rotation Rotate API credentials every 90 days IP whitelisting Register production server IPs Idempotency Use X-Request-ID for duplicate detection Rate limiting Implement client-side rate limiting Error handling Never expose raw error details to end users Audit logging Log all API calls with request IDs
