We will be creating a brand new application soon that handles online payments for our firm. We now have several different web applications (in different technologies) running that will all be integrated into our online payment system and we are thinking about how to secure against someone fooling the web app in thinking the payment was successful when it was not.
We will be working with API Keys for starters. Every web app will get a different API key and only calls including a valid API key will be processed. In this way, we can differentiate between the different applications using our payment platform (for reporting and logging purposes). This is far from secure enough, but it offers a first layer of protection.
Next, the online payment app and the client app will share a secret that is never transmitted and all data will be encrypted using this secret. So it will be encrypted on the client's end and decrypted in the payment app.
Next, I will only allow the different web applications to pass me the right amount and the reference of the payment needing to be processed. All other config will be done in the payment app itself beforehand (i.e. on what bank account the money will be deposited after payment) so it can't be passed in from the outside and misused in this way.
I don't think hackers will be interested in triggering a payment session on the online payments app because they cannot control where the money is going. Is this correct? Should I be worried more about this aspect?
After payment is processed, the payment app will need to redirect back to the client app and pass some information along. Are there any best practices to follow here?
And do you have any thoughts on how to further secure the applications to prevent misuse in any way? Are we overlooking something that you can spot immediately?
