Security Best Practices
Essential security guidelines for your integration
Critical Security Rules
- Never expose your API Secret in client-side code
- Never log full card numbers or CVV codes
- Always verify webhook signatures
- Always use HTTPS for all API communication
API Key Security
- Store API keys in environment variables, never in code
- Use different keys for sandbox and production
- Rotate keys regularly and after any suspected compromise
- Limit key permissions to only what is needed
Client Secret Handling
The payment-scoped client secret (returned when creating a payment intent) is designed to be safe for frontend use. It is:
- Scoped to a single payment intent
- Time-limited and cannot be reused
- Unable to access other customer or payment data
Webhook Security
- Always verify the webhook signature before processing
- Use constant-time comparison for signature verification
- Respond to webhooks quickly (within 30 seconds)
- Process webhook data idempotently to handle duplicates
Logging Guidelines
When logging payment data, follow these rules:
| Data Type | Can Log? | Notes |
|---|---|---|
| Payment ID | Yes | Safe to log for debugging |
| Amount | Yes | Safe to log |
| Last 4 digits of card | Yes | Safe for identification |
| Full card number | Never | PCI violation |
| CVV/CVC | Never | Must never be stored |
| API Secret | Never | Compromises security |
PCI Compliance
Using our SDK significantly reduces your PCI compliance scope. Card data is collected directly by our SDK and never touches your servers.