Integrating Application With Payment Gateway
How to securely integrate any payment gateway with your web or mobile application to receive payments
Why I am writing this?
I needed to design a system which included the payment as well. I searched for YouTube videos on how to integrate payment gateways with the website and most of the video that comes at the top of search results have missed one or more steps to securely integrate it. So In this article, I will explain the steps to securely integrate any payment gateway with your application.
Understanding Transaction flow -
Step 1 -
In the very first step user initiates payment by clicking the "Pay Now" button on the website's frontend.
Step 2 & 3 -
The request goes to the backend of the website and it commonly performs two things.
- Send a request to the payment gateway to create a new order.
- Create a new order on the backend database and store the ID of the order from the payment gateway as well. (Optional). The second step will be helpful in case of retry of payment of the same order or refund of the order.
Step 4 & 5 -
Now send the required data from the payment gateway to the front of the website that will create a form for the user to enter payment details.
Step 6 -
The user enters the payment details and submits the form. The payment may be successful or failure.
Step 7 (Important) -
This is the crucial step in the entire payment flow. After the payment gateway processes the payment request it will call an endpoint of your backend to send the update regarding the payment. The body of the request contains all the details about the payment. The endpoint should only process the requests from specific verified payment gateways.
Step 8 -
Now you have the payment details from the payment gateway. It's the developer's task to verify if the payment is valid based on the response from the payment gateway and update the status of the order in its backend system.
Step 9 -
Send a payment and order status to the user along with the receipt.
The these steps will protect against the following attacks -
- If the developer checks the status of payment from the front end of the application, the user might manipulate the payment information on the front end.
- The user might pay a lesser amount than that of the actual amount and the backend may mark the payment as successful.
- If during payment web application crashes or the user disconnects due to some issue then also these steps will take care of the payment.
- In recent years many E-Commerce websites faced Social Engineering Attacks known as Refund fraud. Following the above steps, reduce the chances of such an attack as now you have a process defined for refund.