# Security checks

KwikPaisa recommends implementing multiple security layers before enabling production payment and payout processing.

Security checks help protect:

* Merchant accounts
* Customer transactions
* Banking infrastructure
* API credentials
* Payout systems
* Webhook endpoints

Production financial systems should always follow strict security and compliance standards.

***

## Core Security Requirements

All merchants should implement:

* HTTPS-only communication
* HMAC SHA256 signature verification
* Secure credential storage
* Webhook signature validation
* Replay attack protection
* Server-side transaction validation
* Transaction monitoring

***

## API Authentication Security

Every API request must include valid authentication headers:

```http
X-API-KEY
X-SIGNATURE
X-TIMESTAMP
```

KwikPaisa validates:

* Merchant authentication
* Request integrity
* Timestamp freshness
* Payload authenticity

Invalid or tampered requests are rejected automatically.

## Signature Verification

All requests should use HMAC SHA256 signatures.

Signature verification protects against:

* Payload tampering
* Unauthorized API access
* Replay attacks
* Forged transaction requests

Recommended formula:

Refer to:\
➡️ Authentication → [Signature](/v3-guide/authentication/signature.md)

***

## Timestamp Validation

Timestamps help prevent replay attacks.

Merchants should:

* Generate fresh timestamps for every request
* Use UNIX timestamps in seconds
* Synchronize server time properly
* Reject expired requests

***

## Secret Key Protection

Your `secret_key` is highly sensitive.

Never:

* Expose secret keys publicly
* Store credentials in frontend applications
* Commit credentials to Git repositories
* Share production keys insecurely

Recommended storage:

* Environment variables
* Secure secret managers
* Encrypted infrastructure storage

***

## HTTPS Enforcement

All APIs and webhook endpoints must use HTTPS.

HTTPS protects:

* Transaction payloads
* API credentials
* Customer data
* Banking communication

Non-HTTPS integrations may be blocked in production environments.

***

## Webhook Security

Webhook endpoints should always:

* Verify webhook signatures
* Validate timestamps
* Handle duplicate events safely
* Return HTTP 200 quickly
* Process requests asynchronously

Never trust webhook payloads without verification.

***

## Replay Attack Protection

Replay attacks occur when attackers reuse previously valid requests.

To prevent replay attacks:

* Validate timestamps
* Reject old requests
* Generate unique transaction IDs
* Use idempotent processing
* Verify signatures properly

***

## IP Whitelisting

Production merchants are strongly encouraged to enable:

* Static IP whitelisting
* Geo-restricted payout access
* Secure backend-only API access

Only trusted backend infrastructure should access production APIs.

***

## Transaction Validation

Before processing transactions:

* Verify payment status using APIs
* Validate payout status server-side
* Check webhook authenticity
* Confirm transaction references
* Prevent duplicate transaction handling

***

## Logging & Monitoring

Merchants should securely monitor:

* Failed authentication attempts
* Invalid signature requests
* Webhook failures
* Duplicate transaction attempts
* Suspicious payout activity
* API error spikes

Maintain secure audit logs for:

* Compliance
* Reconciliation
* Security investigations

***

## Recommended Security Architecture

KwikPaisa recommends:

| Security Layer        | Recommended |
| --------------------- | ----------- |
| HTTPS                 | Yes         |
| HMAC SHA256           | Yes         |
| IP Whitelisting       | Yes         |
| Webhook Verification  | Yes         |
| Replay Protection     | Yes         |
| Idempotent Processing | Yes         |
| Audit Logging         | Yes         |

***

## Common Security Risks

Avoid:

* Exposing production credentials
* Using frontend signature generation
* Ignoring webhook verification
* Blind retry loops
* Sharing API keys publicly
* Running production APIs from unsecured servers

***

## Infrastructure Recommendations

Production systems should use:

* Dedicated backend infrastructure
* Static public IPs
* Secure firewall rules
* VPN-restricted administrative access
* Encrypted storage systems
* Monitoring and alerting tools

***

## Operational Security Recommendations

Merchants should:

* Rotate credentials periodically
* Restrict internal API access
* Maintain access logs
* Review payout activities regularly
* Monitor webhook failures continuously

***

## Compliance Recommendations

Depending on merchant category and geography, merchants may be required to:

* Maintain transaction logs
* Store reconciliation records
* Follow banking compliance rules
* Enable audit tracking
* Support dispute investigations

***

## Best Practices

* Validate every transaction server-side
* Use unique transaction references
* Implement retry-safe workflows
* Handle webhooks asynchronously
* Monitor production systems continuously
* Test security controls regularly

***

## Important Notes

* Production APIs process real financial transactions
* Banking security controls may vary by region
* Payout systems may have additional compliance requirements
* Security validation should be reviewed periodically

***

## Final Production Security Checklist

Before going live:

✅ HTTPS enabled\
✅ Signatures verified\
✅ Webhook validation implemented\
✅ Retry protection configured\
✅ IP whitelisting enabled\
✅ Audit logging configured\
✅ Monitoring systems active\
✅ Credentials secured

***

## Need Help?

For production security reviews, IP whitelisting, payout compliance, or advanced infrastructure security assistance, contact the KwikPaisa onboarding and integration team.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://developers.kwikpaisa.com/v3-guide/going-live/security-checks.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.