AcadmicMitra PayBridge
Features Docs Integrations Stories Pricing Dashboard

Reports & Documentation

01 Architecture Overview 02 Database Design 03 Api Reference 04 Security Audit 05 Quality Maintenance
# 04. Security, Compliance & Validation ## 1. Authentication & Authorization ### ERP System Authentication (Server-to-Server) The system employs a multi-layered authentication strategy for incoming API requests: 1. **Token-Based Auth**: Each ERP/Customer is assigned a unique `current_token`. This must be passed in the `X-Customer-Token` header. 2. **IP Whitelisting**: Requests are only accepted if the originating IP address is found in the `incoming_host_validation` table for the corresponding customer. This prevents token-leakage-based attacks from unauthorized servers. ### Admin Dashboard Security - **Middleware**: Protected by Laravel's built-in `auth` middleware. - **Session Management**: Implements session regeneration on login and invalidation on logout to prevent session fixation and hijacking. - **Password Policies**: Uses `Password::defaults()` which ensures strong character requirements. --- ## 2. Data Integrity & Verification ### Response & Webhook Signing (HMAC-SHA256) To ensure that status updates haven't been tampered with during transit: - The system signs all outgoing JSON payloads using `hash_hmac('sha256', $payload, $customer_token)`. - The signature is sent in the `X-PB-Signature` header. - ERP systems are expected to verify this signature using their shared secret (the token). ### Webhook Security (Inbound) When receiving updates from Payment Gateways (Razorpay/CCAvenue): - The system captures raw headers (e.g., `X-Razorpay-Signature`). - Validation logic (within the PG drivers) verifies the authenticity of the signature using the gateway's secret key before updating transaction statuses. --- ## 3. Data Protection (PII & Sensitive Info) ### Sensitive Configuration - **Encrypted Storage**: While current config is stored in JSON, it is recommended to ensure the database disk/volume is encrypted. - **Environment Variables**: Sensitive system-wide keys (like `APP_KEY`) are stored in `.env` and never committed to version control. ### Transaction Privacy - The system avoids storing full Credit Card numbers or CVVs. It only stores the gateway-provided reference IDs and metadata, remaining compliant with basic PCI-DSS principles by offloading sensitive data handling to the PG's hosted fields or checkout pages. --- ## 4. Key Security Recommendations - **Token Rotation**: Implement a mechanism to rotate `current_token` periodically for ERP systems. - **Rate Limiting**: Apply Laravel's rate limiter to the `create-payment-intent` and `payment/status` endpoints to mitigate Brute-force or DoS attempts. - **Audit Logging**: While `payment_transactions` provides an audit of payments, an "Admin Action Log" would be beneficial to track who changed gateway credentials or whitelisted new IPs.
AcadmicMitra PayBridge

The mission-critical, secure payment middleware designed specifically for modern higher education institutions and large scale ERP ecosystems.

Solution

  • Platform Features
  • Gateway Partners
  • Institutional Plans
  • Security & Compliance
  • Success Stories

Developers

  • Documentation
  • API Reference
  • System Architecture
  • Integration Guide
  • Maintenance Logs

Company

  • About PayBridge
  • Support Center
  • Privacy Framework
  • Terms of Service
  • Contact Sales

© 2026 AcadmicMitra PayBridge. A unit of Creataum Tech.

PCI-DSS & ISO 27001 Certified

Built with for Education