Security Best Practices
Security is a shared responsibility. While PaynPlus ensures bank-grade security and PCI-DSS compliance on our infrastructure, it is critical that you secure your integration. Follow these best practices to protect your business and your customers.
1. Keep your Secret Keys safe
Your Secret API Key (sk_live_...) can perform actions like moving funds and initiating refunds. Treat it like a password to your bank account.
DO THIS
- Store Secret Keys in environment variables (e.g.,
.envfiles). - Use Secret Keys only on your backend servers.
- Rotate your keys immediately if you suspect they have been compromised.
DO NOT DO THIS
- Never commit Secret Keys to GitHub or source control.
- Never embed Secret Keys in mobile apps (iOS/Android).
- Never use Secret Keys in frontend code (React, Vue, HTML).
2. Enforce IP Whitelisting
As mandated by BSP security guidelines, we strongly recommend restricting API access to your known server IP addresses.
Even if a malicious actor obtains your Secret Key, they will not be able to use it unless they are also making requests from your whitelisted servers.
Allowed IPs
3. Verify Webhook Signatures
Because your webhook endpoint needs to be publicly accessible to receive events from PaynPlus, anyone can send an HTTP request to it. To ensure the payload is genuine and hasn't been tampered with, you must verify the HMAC-SHA256 signature included in the headers.
Read the Webhook Verification Guide →4. PCI-DSS Compliance
If you are using PaynPlus Checkout or accepting e-wallets (GCash/Maya) via Direct API, the heavy lifting of PCI-DSS compliance is handled by us.
However, if you are building a custom card form that handles raw Credit Card numbers (PAN, CVV) on your own servers, your company must undergo a strict PCI-DSS audit. For 99% of businesses, we recommend using our Hosted Checkout to bypass this requirement entirely.