In some cases when you are integrating via our SDKs, the response you receive from our end may be different from the order/cart details stored already on your server side, meaning that the original data that has been sent through the Mobile Application (client-side) has been manipulated/intercepted. This is called the "Man-in-the-middle attack).
PayTabs has introduced an additional layer of security for transactions initiated through mobile SDKs where there is a preflight call to reconfirm the cart information to avoid any potential manipulation of the cart amount prior to the initiation of the transaction through the mobile SDK.
This article is dedicated to walking you through adding this additional security layer for your SDK that allows you to validate the data sent through the client side has not been manipulated/intercepted by a fraud action, even before proceeding with the payment. To perform such, kindly follow the steps clarified in this article.
In this article, we will walk you through the following:
- How to configure an additional security layer for my mobile application via PayTabs' SDKs?
- The Expected Behavior
In this article we will be using the Instant payment notification (IPN) to add this layer, to know more about it we highly recommend you check our How to configure Instant payment notification (IPN)? solution article.
How to configure an additional security layer for my mobile application via PayTabs' SDKs?
- From your merchant dashboard, navigate to Developers > PAYMENT NOTIFICATIONS > Configuration as shown below:
- Then, from the configuration page, click on the add button to add a new Payment notification, as shown below:
- After that, you MUST set the type to PreFlight SDK and set your IPN URL as shown below. This URL/endpoint will be the one PayTabs would always check with (asking for confirmation to proceed with the payment).
- Reaching this step, once you configured the above URL, for each SDK payment request, a POST request will be sent to the configured URL with a header called "client-key" that contains the client key used for SDK requests. This is to authenticate the request from our gateway.
You should receive the following Raw Content/fields as requested content to verify with the details on your server-side:
- cart_amount: The amount of the cart. Example value: 1.00
- cart_currency: The currency of the cart. Example value: AED
- cart_description: The description of the payment. Example value: Sample Payment
- cart_id: The ID of the cart. Example value: Sample Payment
- Once you validate the above form fields on your server side, you MUST respond within 10 seconds with a '200 OK' response to indicate the details have been verified and the transaction request can proceed, any other response (including redirects or timeouts) will result in the request being rejected.
- Once we receive a '200 OK' response from your side, we will proceed with the payment normally as it is now verified.
The Expected Behavior
Once you have configured the PreFlight SDK Mode as clarified in the above steps, each time you initiate a payment via your SDK, PayTabs will do a pre-flight request before processing your transaction to verify the amount/currency/cart id or cart description details against your pre-configured URL, meaning that the configured URL will receive a similar request to the below:
Once you receive the above request, as mentioned in the steps, you should validate the details in the request against the original cart details on your server side and respond with a "200 OK" within 10 seconds. Only then PayTabs will proceed with processing your transaction. However, failing to respond to the request sent from PayTabs with a "200 OK" within 10 seconds will result in terminating the transaction.
Kindly note that is that the customer will be blocked from proceeding with the transaction whilst the payment gateway waits for the results of this pre-flight verification.
So make sure your response MUST not exceed the 10 seconds period, or, in this case, the transaction will be terminated and the customer will be prompted with following error:
And your mobile application should catch an error such the below one: