Skip to main content

Security Control Process - Automatic Merchant Initialization

· 7 min read
Pay Protocol Dev
Pay Protocol Dev
Pay Protocol Development Team

This document outlines a comprehensive security control process, covering transaction operations, signature verification, payment flow, and the enhancement of service security and stability, with the goal of ensuring the security of transactions and the high availability of the system.

1. Merchant System and Backend System Transfer Operation Flow

  1. Encrypt Transfer Request Information

    When the merchant system sends a transfer request to the backend system, encryption algorithms are used to protect transfer data (such as address, amount, currency, etc.), ensuring the security of the information.

  2. Request Wallet Signature

    The backend system forwards the transfer request to the Web3 wallet plugin, which performs a multi-signature operation and returns the signature.

  3. Signature Verification

    Upon receiving the signature, the backend system submits it to the security control web interface. The security control generates a signature via the server and verifies that the backend system's signature matches the server's signature.

  4. Execute Transfer via Wallet

    Once the signature is verified successfully by the security control web interface, it instructs the Web3 wallet plugin to execute the transfer and place it on the blockchain.

  5. Obtain Transaction Hash

    After the Web3 wallet completes the transaction, it returns the transaction hash, which the security control web interface then retrieves and saves.

  6. Callback Transaction Status

    The security control web interface updates the transaction hash record by calling the backend system in one of two ways:

    • Direct callback via the web interface to update the status.
    • The security control server makes the callback on behalf of the backend system, updating the transaction status based on the hash.

  7. Transaction Status Check

    The backend system checks the status of the transaction hash and updates the transaction status record.

2. Security Control Signature Process

  1. Merchant Data Initialization

    When the backend system approves a merchant, it records merchant information (merchant ID, cold/hot contract addresses, etc.) and provides query and delete interfaces to the security control.

  2. Security Control Data Storage

    The security control requests the backend's query interface to obtain merchant data, storing it as a JSON file, and requests the deletion of old data.

  3. Scheduled Task for Data Synchronization

    A cron job is used to regularly request the security control interface, automatically updating the merchant's initialization data.

3. End-to-End Security

  1. Server Security

    Intrusion detection systems and firewalls are employed to protect the server from external attacks.

  2. Encrypted Communication

    HTTPS and encryption algorithms are used to ensure the security of all data during transmission.

  3. Prevention of Replay Attacks

    Blockchain mechanisms are utilized to prevent replay attacks by incorporating timestamps, nonces, or unique identifiers on the blockchain, ensuring that each transaction request is unique and non-repetitive.

  4. Service Monitoring and Alerts

    The system's health status is periodically checked, and alerts are issued for any anomalies, followed by prompt repairs.

4. Payment Flow

  1. Encrypt Payment Link

    When the merchant system generates a payment link, it uses a signed encryption parameter to ensure the legitimacy and security of the payment link.

  2. Payment Information Verification

    When the user submits payment, the payment information's signature and parameters are verified to ensure the request comes from a legitimate merchant.

  3. Payment Callback Verification

    After payment completion, the merchant system verifies the callback payment data to ensure the accuracy of the payment status.

  4. Payment Interface Control

    IP restrictions and access frequency limits are set to prevent misuse of the interface.

5. Docker Deployment and Web Deployment

  1. Simplify Docker Deployment

    Docker images and configuration files are provided, enabling merchants to easily deploy services using Docker Compose or Kubernetes.

  2. Java Web Support

    Web applications are supported to run on common Java web servers like Tomcat, ensuring compatibility.

  3. Automatic Service Scaling

    Load balancing and automatic scaling are configured to ensure the service can scale and remain stable during peak traffic periods.

6. API Security

  1. Signature Verification

    All API requests require the use of a signature mechanism to ensure the legitimacy of the request.

  2. Encrypted Data Transmission

    All API data transmission is encrypted using HTTPS protocol, ensuring the data is not tampered with.

  3. Access Control

    IP address access is restricted and request frequency limits are set to prevent malicious misuse of the interface.

  4. Log Recording and Auditing

    All API calls are logged and audited regularly to ensure operations are traceable.