Security Best Practices
Follow these security guidelines to ensure your integration is secure and compliant with payment industry standards.
Overview
Follow these security guidelines to ensure your integration is secure and compliant with payment industry standards.
Credential Security
Never hardcode credentials
Environment Separation
Isolate dev and production
PIN Protection
Enable PIN pad shuffling
Location Validation
Detect mocked locations
Session Management
Handle expiry gracefully
Data Protection
Never log sensitive data
Credential Management
Best practices for managing auth tokens and credentials securely.
Use Auth Tokens
Prefer authCode over email/password in production. Tokens can be revoked without password changes.
Store Securely
Store credentials in Android Keystore or Encrypted SharedPreferences — never in plain SharedPreferences or code.
Rotate Regularly
Rotate auth tokens on a schedule. Use short-lived tokens where possible.
Never in Source Code
Do not hardcode credentials in your app. Use environment variables or encrypted config files.
Use BuildConfig Fields
Store tokens as BuildConfig fields injected from your CI/CD pipeline, not in source code.
Loading...Risk
Hardcoded credentials can be extracted from APK files. Always use secure storage mechanisms like Android Keystore or Encrypted SharedPreferences.
Environment Separation
Always use separate credentials and environments for development and production.
Loading...PIN Pad Security
Enable PIN pad shuffling to prevent shoulder surfing and improve security for PIN-based transactions.
Loading...Compliance
PIN pad shuffling is required for transactions involving PIN verification in many markets. Enable it by default for production builds.
Location Validation
The SDK validates device location during payment processing for compliance. Ensure location permissions are granted before calling initiate().
Loading...Session Security
Handle session expiry gracefully and implement secure re-authentication flows.
Loading...Session Expiry
Sessions expire after a period of inactivity. Always handle AuthenticationError (7001) by re-authenticating with initiate().
Production Checklist
Verify each item before deploying your integration to production.
| Item | Status |
|---|---|
| Remove hardcoded credentials | Required |
| Set environment to PRODUCTION | Required |
| Disable debug logging | Recommended |
| Enable PIN shuffle | Recommended |
| Implement location validation | Recommended |
| Handle session expiry | Required |
| Test with real cards in SANDBOX | Required |
Network Security
The SDK employs certificate pinning by default for all API communication. Ensure your release build is configured correctly.
Certificate Pinning
Enabled by default — SDK rejects untrusted TLS certificates.
HTTPS Only
All SDK communication uses HTTPS. Never use HTTP endpoints.
ProGuard
Ensure proguard-rules.pro includes keep rule for com.edfapay.** classes.
Remote TCP Channel
RemoteChannel TCP socket is unencrypted — only use on isolated, trusted networks.
On this page
Downloads
Coming SoonSample apps, release bundles, and more content will be available here soon.