Security & Authentication
Overview
Your API requests to the PayMongo API must be authenticated using your account's API keys. An authentication error will be returned if the API key is not provided or is invalid.
Every PayMongo account is provided with two API keys, one for testing so you can try out the PayMongo API while waiting for your account to be activated, and another set of keys for running live requests. Your API keys are available on the Developers tab of the dashboard.
How secure is PayMongo?
PayMongo is a PCI Service Provider Level 1 compliant payment provider. We have been audited by an independent PCI-certified auditor through the most stringent compliance process available in the payments industry.
PCI-DSS (Payment Card Industry Data Security Standard) is a technical and operational standard developed and managed by the PCI Security Standards Council to ensure the protection and security of card information provided by cardholders that are transmitted through card processing transactions.
PayMongo also enforces HSTS which is a web security protocol mechanism that enforces browsers to interact with PayMongo strictly through HTTPS. This ensures encryption of your data, thus protecting you from malicious actors using man in the middle attacks.
Robust Data Protection and Encryption
Protecting your sensitive data and your customers' financial information is central to PayMongo's security architecture.
- Encryption
PayMongo employs strong encryption techniques to defend against malicious attempts to steal and misuse collected data. This applies to data exchanged between servers and endpoints, ensuring that sensitive information remains unreadable to unauthorized parties. - Authentication
Access to data and information collection within PayMongo's systems is strictly limited to authorized users and applications through rigorous authentication mechanisms. - Tokenization
PayMongo utilizes tokenization to keep sensitive card information secure on our servers. When a card is used, the actual card details are converted into a unique, non-sensitive "token." This token is then used for subsequent transactions, protecting the original card number from exposure to malicious agents. - HTTPS Everywhere (SSL/TLS)
All interactions with PayMongo, including our website, merchant Dashboard, and APIs, are exclusively conducted through HTTPS (Hypertext Transfer Protocol Secure). This ensures that all data transmitted between your browser/system and PayMongo is encrypted, preventing "man-in-the-middle" attacks where malicious actors attempt to intercept data. - HSTS Implementation
PayMongo implements HTTP Strict Transport Security (HSTS). This web security protocol forces web browsers to interact with PayMongo services exclusively over HTTPS, further enhancing protection against certain types of cyber-attacks and ensuring a secure connection. PayMongo is included in the HSTS preload lists of major web browsers for added security.
Secure Infrastructure and Network Security
PayMongo's platform is built on a robust and secure infrastructure designed to protect against various cyber threats.
- Cloud-Based Security
Leveraging secure cloud infrastructure, PayMongo benefits from advanced physical and environmental security measures, robust network controls, and extensive monitoring capabilities provided by leading cloud providers. - Regular Security Updates
PayMongo's systems are continuously updated with the latest security patches and configurations to guard against emerging vulnerabilities. - Firewalls and Intrusion Detection
Our network employs firewalls and intrusion detection/prevention systems to monitor and control incoming and outgoing network traffic, protecting against unauthorized access and malicious activity.
Updated 22 days ago