How do I integrate Adyen's online payments securely?
Protect your business from online attackers
Actors (people or organizations) with malicious intent might target your company through online attacks. Depending on how you integrate Adyen into your services, there are additional security measures you might want to consider to protect the confidentiality, integrity, and availability of your company and customer data.
How you might get compromised
Attackers might try to forge or steal login credentials to access to your (admin) environment. Some well-known techniques are by brute-forcing weak passwords or exploiting a weak or broken admin authentication. Phishing or other so-called social engineering tricks are common by deceiving a person within your company to give access to sensitive information.
If attackers gain unauthorized access to your pages, they can exfiltrate card data. A potential attacker can perform cross-site scripting attacks in different ways.
- By redirecting a payment to a fraudulent page so that the entered payment details are sent to the attackers before the payment process continues on the legitimate page.
- By placing so-called overlays on top of your actual payments page and collecting card data before the actual payment is made.
- By manipulating the page with malicious code, e.g., via so-called keyloggers, to collect the card data as your shopper enters them.
How to reduce the risk of compromise
Implementing basic security measures can reduce risks significantly. You should properly manage user accounts, systems, and the development lifecycle of your platform.
User account management
- Replace the usernames and passwords that the vendor has provided.
- Use strong passwords to prevent brute-force attacks. Use long passwords containing upper- and lowercase letters, numbers, and special characters.
- Avoid accounts sharing credentials between several people.
- Enforce Multi-Factor Authentication (MFA), especially when logging in on publicly available devices.
- Keep systems and software updated with the latest security patches.
- Read and implement security recommendations given by your ecommerce or website provider.
- Review admin and user activity regularly to detect unusual activity caused by a potential attacker.
Development lifecycle management
- Take security best practices into account in the design, development, and testing phases of your development lifecycle.
- Review changes to your payment pages as well as related source code. Make sure to set up continuous monitoring to detect and respond to unexpected changes.
- Manage supply chain risks to identify, handle, and prevent attacks via third-party suppliers.
- Don’t generate Pay by Link URLs on systems that are publicly accessible. It’s better to validate the host part of the URL automatically before sending them to your customer.
- Implement Cross-Origin Resource Sharing and Subresource Integrity. See our Development resources for more information about such.
- Implementing Content Security Policy (CSP) to prevent, amongst other things, cross-site scripting attacks. CSPs can be implemented by adding the Content-Security-Policy HTTP header in your web server and configuring it to only accept resources from trusted sources. Only use the following directives: Adyen, Amazon Pay, PayPal, and Google Pay.
There are many public frameworks and other guidelines that can help you in securing your business. Of course, by following secure coding practices but also by continuously assessing your security measures with the help of maturity frameworks. We recommend the following resources to learn more:
The integration security guide
Follow best practices to reduce security risks.View integration security guide