Table of Contents

General

Information security is critical for businesses handling financial transactions online. Being a technology-first online finance company, we ensure that every transaction made using Razorpay products is secure.
The security of your business’s online transactions and data is a shared responsibility between you and Razorpay. As a Razorpay user, ensure you use the security measures below to secure your online transactions.

Ensure that you implement the general security best practices listed below.

  • Implement Two-Factor Authentication (2FA) across your team for additional security.
  • Use TLS and HTTPS, as they significantly decrease the risk of a man-in-the-middle attack on you or your customers.
  • Use a password manager and set strong passwords.
  • Maintain a checklist for timely onboarding and offboarding of users.
  • Do not share user accounts among employees.
  • Back up your data regularly, and test the restoration periodically.

Shared Responsibility Model

Know about the security responsibilities shared between businesses and Razorpay.

IP's and Certificates

Download Razorpay SSL certificates and whitelist our API and Webhooks IP addresses.

Security for Customers

Know how Razorpay handles customer security, saved cards and frauds.

APIs

It is essential to store your API keys safely. For the utmost security, follow the best practices listed below when integrating with Razorpay APIs.

Applications

While integrating Razorpay APIs with your application, ensure that:

  • The API key secret is not included in version control (GitHub, Gitlab).
  • You only provide access to the API secret to employees on a need-to-know basis.
  • You store all secrets, such as the API secret, customer ID, and card tokens in a secure vault.
  • All websites and APIs are accessed only using HTTPS, and they follow basic security best practices.
Mobile Application

To secure your mobile application when integrating with Razorpay APIs, ensure that:

  • The  Razorpay API Secret is not included in the final Android or iOS build.
  • The final build is scanned for security defects using a mobile application security scanner, such as MobSF.
Payments API

While integrating with our Payments API, ensure that you:

  • Use the Capture a Payment API to assert the payment status.
  • Fetch the amounts of captured payments only from the backend or a trusted source.
Orders API

While integrating with our Orders API, ensure that:

  • Payments are auto-captured from the Dashboard
  • Signatures are validated in the callback request when using the Orders API to confirm payment status.
  • Order ids are retrieved only from a trusted source, such as your database for the HMAC generation.

Webhooks

To use our webhooks securely, ensure that:

  • All webhook requests are validated using Hash-based Message Authentication Code (HMAC).
  • Razorpay IPs are added to all the whitelisted webhook requests.

Razorpay Accounts and Dashboard

Implement the below best practices while using the Dashboard.

  • Grant access to the Dashboard only for necessary users.
  • Define user roles for team members based on their usage of the Dashboard.
  • Implement Two-Factor Authentication (2FA) on all your Razorpay accounts.
  • Never share Razorpay Two-Factor Authentication OTPs among employees.

Plugin Integration

Implement the below best practices while integrating with Razorpay using third-party plugins

  • Use the latest version of all plugins.
  • Vendors like WordPress, Drupal, and Magento send notifications on security issues and product updates. Ensure that you subscribe to these notifications.
  • Wherever applicable, follow the official Hardening WordPress Guide.