Company

Security

A payment integration is safe only when the client interface is not the source of truth, tokens never reach frontend code and every critical action can be audited.

Overview

VPOS.am security is built around server-side payment verification, signed events, least privilege and audit of critical actions.

What is verified on the server

Payment status, amount, currency, order id and provider reference must be confirmed on the server. Frontend can show the result to the user, but it should not mark an order as paid by itself.

If payment data does not match the internal order, the process should move to manual review instead of automatically fulfilling a product or service.

How tokens and access should be handled

API keys, webhook secrets and provider credentials should be stored outside frontend code, passed only through protected channels and granted with minimum required permissions.

Access to merchant console and integration settings should be role-based. Changes to settlement details, callback URLs or keys should be logged as critical actions.

Logging and incident review

A payment circuit needs logs for authorization, settings changes, webhook delivery, provider callbacks and manual operator actions.

These logs help reconstruct the chain of events: who changed a setting, which payload arrived, which status was accepted and why an order received its final result.

FAQ

Which data should never be stored in frontend code?

API keys, webhook secrets, provider credentials and service tokens should not be exposed in frontend code. They belong on the server or in a protected runtime environment.

What should be logged in a payment integration?

Provider callbacks, webhook delivery, settings changes, operator actions, signature verification failures and payment status transitions should be logged.