Menu
Back to homepage

PAYMENT GATEWAY

Back to homepage

[THK] F.4.6 Production Security Checklist

The following checklist summarizes the minimum security controls that must be verified before moving an integration to production.

Communication Security

  • ⚠️ All API communication uses HTTPS (TLS 1.2 or higher)
  • ⚠️ Certificate validation is enforced and not bypassed
  • ⚠️ All requests are properly authenticated (Bearer / signature-based)
  • ⚠️ Message integrity validation (HMAC/signature) is implemented and enforced
  • ⚠️ All responses are validated before processing
  • ⚠️ Webhook payloads are decrypted before use
  • ⚠️ Webhook messages are validated for authenticity and integrity

Data Protection and Exposure

  • ⚠️ Sensitive payment data is not stored in Merchant systems
  • ⚠️ Sensitive data is not logged or exposed in monitoring systems
  • Hosted payment flows are used where applicable to minimize data exposure
  • Tokenization is used for recurring and subsequent transactions
  • ⚠️ Tokens are stored securely and treated as sensitive identifiers
  • Logs and debugging tools do not expose confidential information

Trust Boundaries and Input Validation

  • ⚠️ All external inputs are treated as untrusted until validated
  • ⚠️ API responses are validated before being processed
  • ⚠️ Webhook notifications are decrypted, validated, and correlated
  • ⚠️ Client-side inputs (e.g., return URLs) are not used as authoritative sources
  • ⚠️ Transaction state is never updated based solely on external input
  • ⚠️ All inputs are validated for structure, consistency, and authenticity

Transaction Integrity Controls

  • ⚠️ All operations are idempotent and protected against duplication
  • ⚠️ Duplicate requests and events are detected and safely handled
  • ⚠️ Retry logic is implemented and state-aware
  • ⚠️ Transaction status is verified before retrying operations
  • Operations are applied in a consistent and valid order
  • Out-of-order and delayed events are handled correctly
  • ⚠️ Transaction state transitions are validated against the expected lifecycle
  • All operations are correlated and traceable

Operational Security Controls

  • ⚠️ Access to systems is restricted based on least privilege
  • ⚠️ Administrative access is limited, monitored, and auditable
  • ⚠️ Credentials and secrets are stored securely (e.g., vaults)
  • ⚠️ Secrets are not exposed in code, configuration, or logs
  • Credentials are rotated periodically and upon compromise
  • ⚠️ Environments (Development / Testing / Production) are strictly segregated
  • ⚠️ Production data is not used in non-production environments
  • Configuration changes are controlled, reviewed, and tested
  • Operational activity is monitored, logged, and traceable
  • Security events are detected and handled in a timely manner

Final Verification

  • ⚠️ All security controls are consistently enforced across all environments
  • ⚠️ No business logic is executed on unvalidated or untrusted data
  • All transaction flows have been tested under failure and retry scenarios
  • Monitoring and alerting are active, operational, and verified
  • ⚠️ All credentials and configuration are production-ready and secured

On this page:

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.