Security Overview
Security is paramount when handling payment processing. BirrLink implements multiple layers of security to protect your business and your customers' sensitive information.
BirrLink Security Standards
PCI DSS Compliance
BirrLink is PCI DSS Level 1 compliant, the highest level of certification available. This means we undergo regular audits by qualified security assessors to ensure the highest standards of data security.
Key PCI DSS requirements we meet:
- Network security controls
- Protection of cardholder data
- Vulnerability management program
- Access control measures
- Regular monitoring and testing
- Information security policy
ISO 27001 Certification
Our information security management system is certified to ISO 27001 standards, ensuring continuous management of information security risks.
Data Protection
Encryption
- In Transit: All data transmitted between your application and BirrLink uses TLS 1.3 encryption
- At Rest: Sensitive data is encrypted using AES-256 encryption
- Tokenization: Card data is tokenized immediately upon receipt, replacing sensitive data with non-sensitive tokens
Data Minimization
We only collect and store data that is necessary for processing payments and fraud prevention. Sensitive data is retained only as long as required by law.
Secure Integration Patterns
Client-Side Card Collection
Never send raw card data to your server. Use our secure client-side components:
// Correct approach - uses tokenization
const {token, error} = await birrlink.createToken(cardElement);
if (!error) {
// Send token (not card data) to your server
fetch('/create-payment', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({token: token.id})
});
}
Server-Side Processing
Always process sensitive operations on your server:
// Server-side processing with API key
app.post('/create-payment', async (req, res) => {
try {
const payment = await birrlinkClient.payments.create({
amount: req.body.amount,
currency: 'ETB',
source: req.body.token, // Use the token, not raw card data
description: req.body.description
});
res.json({payment: payment});
} catch (error) {
res.status(400).json({error: error.message});
}
});
Authentication & Authorization
API Keys Security
- Keep API keys confidential and never expose them in client-side code
- Use separate keys for test and production environments
- Rotate keys regularly
- Use environment variables for storage
Role-Based Access Control
Different API keys have different permissions:
- Full Access: Can perform all operations
- Read-Only: Can only retrieve data
- Restricted: Limited to specific operations
Webhook Security
Signature Verification
Always verify webhook signatures to ensure authenticity:
const crypto = require('crypto');
const verifyWebhookSignature = (payload, signature, secret) => {
const expectedSignature = `t=${timestamp},v1=${crypto
.createHmac('sha256', secret)
.update(payload)
.digest('hex')}`;
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expectedSignature)
);
};
Endpoint Security
- Use HTTPS for webhook endpoints
- Implement rate limiting to prevent abuse
- Validate event types before processing
- Log webhook attempts for audit trails
Fraud Prevention
Built-in Fraud Detection
BirrLink uses machine learning algorithms to detect and prevent fraudulent transactions:
- Velocity checks
- Geolocation analysis
- Behavioral pattern recognition
- Risk scoring
3D Secure Authentication
For high-risk transactions, especially international cards, 3D Secure authentication provides additional security by requiring customer verification with their card issuer.
Manual Review
High-value or suspicious transactions may be flagged for manual review before processing.
Security Monitoring
Real-time Monitoring
Our systems continuously monitor for:
- Unauthorized access attempts
- Suspicious transaction patterns
- System vulnerabilities
- Compliance violations
Incident Response
We have a dedicated security team that responds to incidents 24/7, with protocols for:
- Immediate threat containment
- Impact assessment
- Customer notification
- Post-incident analysis
Customer Security
PCI Compliance for Merchants
To maintain PCI compliance when integrating with BirrLink:
- Complete the appropriate SAQ (Self-Assessment Questionnaire)
- Implement secure network practices
- Regularly update your systems
- Perform security testing
Security Recommendations
For your integration:
- Use HTTPS for all communications
- Store credentials securely
- Implement proper access controls
- Monitor for suspicious activity
- Regularly update dependencies
Reporting Security Issues
Vulnerability Disclosure
If you discover a security vulnerability:
- Contact our security team at security@birrlink.et
- Provide detailed information about the vulnerability
- Allow reasonable time for us to address the issue before disclosure
- Follow responsible disclosure practices
Security Certificates
Our security certifications are available on our website and can be provided to your compliance team upon request.
Security Updates
Communication
We provide security updates through:
- Email notifications to merchant accounts
- Status page updates
- Documentation updates
- API versioning for breaking security changes
Staying Informed
- Subscribe to our security bulletin
- Regularly check our status page
- Review security documentation updates
- Follow best practices for your integration
Security is a shared responsibility between BirrLink and our merchants. By following these security practices and guidelines, you can ensure a secure payment processing environment for your customers.