Skip to content

Trust and controls

安全与合规

PCI 范围规划、Webhook 签名、服务商凭证、角色权限、审计日志和运营复核控制。

REST API Signed webhooks Hosted checkout
01Sandbox firstTest outcomes before live onboarding
02Secure eventsHMAC signatures and replay protection
03Clear operationsTransactions, reports, and settlement visibility
04Regional routingProvider-ready payment orchestration

Payment data controls

Scope
  • Use hosted checkout or provider tokenization to reduce PCI scope.
  • Never store raw card number, CVV, magnetic stripe data, PIN, or sensitive authentication data.
  • Store only WQN payment IDs, provider references, tokens, status, and audit metadata.
  • Protect provider credentials through vault references and approval gates.

Webhook and API security

HMAC
  • Bearer secret keys for server-to-server API calls.
  • Idempotency-Key for every mutating payment, refund, and checkout request.
  • HMAC SHA-256 signatures on merchant webhooks with timestamp tolerance.
  • Provider notification verification before state changes or merchant callbacks.

Operational controls

Review
ControlPurposeOwner
RBACSeparate member, finance, support, risk, and protected operator access.Security
Audit logsTrack API key changes, provider routes, refunds, settlement release, and approvals.Operations
Risk rulesVelocity limits, country rules, amount thresholds, and manual review queues.Risk operations
Compliance evidencePCI DSS checklist, access review, incident response tasks, and scan records.Compliance

放心构建

查看 API、模拟支付结果,并准备清晰的生产就绪检查清单。
开始 Sandbox 联系支持