Security & PCI Compliance

Learn about PCI-DSS compliance, API security best practices, and how to keep your integration secure.

PCI-DSS Compliance

By using Altafinex's Card Container and tokenization, you stay out of PCI-DSS scope. We handle all sensitive card data, so you don't need to be PCI compliant.

How It Works

1. Card Container (Iframe)

Card data is entered directly into our secure iframe, which never touches your servers.

2. Tokenization

Card data is immediately converted to a secure token that expires after 24 hours.

3. Your Servers

You only receive and store token IDs, never raw card data. This keeps you out of PCI scope.

API Security

API Key Management
  • Never expose your Secret Key (sk_...) in client-side code
  • Store API keys as environment variables, not in code
  • Rotate keys regularly and immediately if compromised
  • Use different keys for test and production environments
HTTPS Only

All API requests must use HTTPS. Never send API requests over HTTP. Our API endpoints only accept HTTPS connections.

Rate Limiting

API requests are rate-limited to prevent abuse. If you exceed the rate limit, you'll receive a 429 Too Many Requests response. Implement exponential backoff in your retry logic.

Webhook Signature Verification

Always verify webhook signatures to ensure requests are actually from Altafinex. This prevents malicious actors from sending fake webhook events to your endpoints.

How to Verify Webhooks
Each webhook request includes a signature header that you should verify

Signature Header

Webhook requests include a X-Altafinex-Signature header containing an HMAC-SHA256 signature of the request body.

Verification Example (Node.js)

const crypto = require('crypto');

function verifyWebhookSignature(payload, signature, secret) {
  const hmac = crypto.createHmac('sha256', secret);
  const computedSignature = hmac.update(payload).digest('hex');
  
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(computedSignature)
  );
}

Idempotency

Use idempotency keys to prevent duplicate charges if a network error occurs during payment processing.

Best Practices
  • Generate unique keys:Use UUIDs or a combination of order ID and timestamp
  • Store keys:Keep track of used idempotency keys to detect duplicates
  • Retry safely:If a request fails, retry with the same idempotency key

Learn More:

See our Idempotency Guide for detailed implementation examples.

Security Checklist

Before Going Live

  • API Keys Secured

    Keys stored in environment variables, never in code or version control

  • Webhook Verification

    All webhook endpoints verify signatures before processing

  • HTTPS Everywhere

    All API calls and webhook endpoints use HTTPS

  • Error Handling

    Proper error handling prevents information leakage

  • Idempotency Keys

    All payment and refund requests include idempotency keys