Security

Checklist

Business Security Checklist

List of security measures and best practices to ensure secure transactions using Razorpay.

Information security is critical for businesses handling financial transactions online. Being a technology-first online finance company, we ensure that every transaction made using Razorpay products is secure.

The security of your business's online transactions and data is a shared responsibility between you and Razorpay. As a Razorpay user, ensure you use the security measures below to secure your online transactions.

General

Ensure that you implement the general security best practices listed below.

  • Implement

    Two-Factor Authentication (2FA)

    across your team for additional security.
  • Use TLS and HTTPS, as they significantly decrease the risk of a man-in-the-middle attack on you or your customers.
  • Use a password manager and set strong passwords.
  • Maintain a checklist for timely onboarding and offboarding of users.
  • Do not share user accounts among employees.
  • Back up your data regularly, and test the restoration periodically.

APIs

It is essential to store your API keys safely. For the utmost security, follow the best practices listed below when integrating with Razorpay APIs.

Applications

While integrating Razorpay APIs with your application, ensure that:

  • The API key secret is not included in version control (GitHub, Gitlab).
  • You only provide access to the API secret to employees on a need-to-know basis.
  • You store all secrets, such as the API secret, customer ID, and card tokens in a secure vault.
  • All websites and APIs are accessed only using HTTPS, and they follow basic security best practices.

Mobile Application

To secure your mobile application when integrating with Razorpay APIs, ensure that:

  • The
    Razorpay API secret
    is not included in the final Android or iOS build.
  • The final build is scanned for security defects using a mobile application security scanner, such as

    MobSF

    .

Payments API

While integrating with our

Payments API

, ensure that you:

  • Use the

    Capture a Payment API

    to assert the payment status.
  • Fetch the amounts of captured payments only from the backend or a trusted source.

Orders API

While integrating with our

Orders API

, ensure that:

  • Payments are auto-captured

    from the Dashboard.
  • Signatures are validated in the callback request when using the Orders API to confirm payment status.
  • Order ids are retrieved only from a trusted source, such as your database for the HMAC generation.

Webhooks

To use our webhooks securely, ensure that:

  • All webhook requests are validated using Hash-based Message Authentication Code (HMAC).

  • Razorpay IPs

    are added to all the whitelisted webhook requests.

Razorpay Accounts and Dashboard

Implement the below best practices while using the Dashboard.

  • Grant access to the Dashboard only for necessary users.
  • Define

    user roles

    for team members based on their usage of the Dashboard.
  • Implement

    Two-Factor Authentication (2FA)

    on all your Razorpay accounts.
  • Never share Razorpay Two-Factor Authentication OTPs among employees.

Plugin Integration

Implement the below best practices while integrating with Razorpay using

third-party plugins

.

  • Use the latest version of all plugins.
  • Vendors like WordPress, Drupal, and Magento send notifications on security issues and product updates. Ensure that you subscribe to these notifications.
  • Wherever applicable, follow the official

    Hardening WordPress Guide

    .

Was this page helpful?

ON THIS PAGE