PayCore
Security Statement
PayCore is built around traceable transactions, controllable credentials, and verifiable processes to help merchants operate safer payment and notification flows.
1. Transport security
PayCore checkout pages, APIs, and admin services should be accessed through HTTPS to reduce the risk of interception or tampering during transmission.
2. Credentials and permissions
API Keys, Webhook Secrets, admin accounts, and gateway credentials are sensitive. Merchants must restrict access, review exposure risks, and immediately disable or rotate credentials if leakage is suspected.
3. Signature and verification
When receiving Callback, Webhook, or payok_url notifications, merchants should verify source, signature, timestamp, and transaction status. Payment success should not be determined only by front-end redirects or unverified notifications.
4. Transaction traceability
PayCore retains necessary payment status, notification, callback, synchronization, and error records to trace the transaction lifecycle and investigate issues.
5. Risk control
PayCore may suspend, reject, or restrict certain requests or payment flows based on abnormal transactions, suspicious requests, attack traffic, third-party payment responses, or legal requirements.
6. Merchant system security
Merchants must secure their own websites, servers, databases, admin systems, and integration code. PayCore is not responsible for losses caused by merchant-side vulnerabilities, plugins, password practices, or data leakage.
7. Notification reliability
PayCore provides notification and retry mechanisms, but delivery may be affected by merchant servers, firewalls, DNS, third-party services, and network status. Merchants should implement idempotency and active status queries.
8. Security reports
If you find a suspected security issue, please provide reproducible steps, time, URL, error messages, and impact scope through the Support Center. Do not publicly disclose or exploit vulnerabilities.