Business Security Checklist

List of security measures and best practices to ensure secure transactions using Razorpay.

Information security is critical for businesses handling financial transactions online. Being a technology-first online finance company, we ensure that every transaction made using Razorpay products is secure.

The security of your business's online transactions and data is a shared responsibility between you and Razorpay. As a Razorpay user, ensure you use the security measures below to secure your online transactions.

Ensure that you implement the general security best practices listed below.

  • Implement across your team for additional security.
  • Use TLS and HTTPS, as they significantly decrease the risk of a man-in-the-middle attack on you or your customers.
  • Use a password manager and set strong passwords.
  • Maintain a checklist for timely onboarding and offboarding of users.
  • Do not share user accounts among employees.
  • Back up your data regularly, and test the restoration periodically.

It is essential to store your API keys safely. For the utmost security, follow the best practices listed below when integrating with Razorpay APIs.

While integrating Razorpay APIs with your application, ensure that:

  • The API key secret is not included in version control (GitHub, Gitlab).
  • You only provide access to the API secret to employees on a need-to-know basis.
  • You store all secrets, such as the API secret, customer ID, and card tokens in a secure vault.
  • All websites and APIs are accessed only using HTTPS, and they follow basic security best practices.

To secure your mobile application when integrating with Razorpay APIs, ensure that:

  • The is not included in the final Android or iOS build.
  • The final build is scanned for security defects using a mobile application security scanner, such as .

While integrating with our

, ensure that you:

  • Use the to assert the payment status.
  • Fetch the amounts of captured payments only from the backend or a trusted source.

While integrating with our

, ensure that:

  • from the Dashboard.
  • Signatures are validated in the callback request when using the Orders API to confirm payment status.
  • Order ids are retrieved only from a trusted source, such as your database for the HMAC generation.

To use our webhooks securely, ensure that:

  • All webhook requests are validated using Hash-based Message Authentication Code (HMAC).
  • are added to all the whitelisted webhook requests.

Implement the below best practices while using the Dashboard.

  • Grant access to the Dashboard only for necessary users.
  • Define for team members based on their usage of the Dashboard.
  • Implement on all your Razorpay accounts.
  • Never share Razorpay Two-Factor Authentication OTPs among employees.

Implement the below best practices while integrating with Razorpay using


  • Use the latest version of all plugins.
  • Vendors like WordPress, Drupal, and Magento send notifications on security issues and product updates. Ensure that you subscribe to these notifications.
  • Wherever applicable, follow the official .

Was this page helpful?