Keeping communication with Google Payments secure
There are a number of measures you can take to keep your communications with Google Payments secure:
- Never share your Merchant Key with anyone.
- Send order processing commands over a secure HTTPS connection.
When sending order processing commands to Google, use an HTTPS connection secured by 128-bit SSL v3 or TLS connection (SSL v2 is not allowed). Use your Merchant ID and Merchant Key as the username and password for HTTP Basic Authentication.
- Verify the authenticity of the server certificate presented to you.
- Specify an HTTPS callback URL secured by SSL v3 or TLS using a valid certificate from a major Certifying Authority to receive Google notifications.
Only accept messages authenticated by HTTP Basic Authentication, using your Merchant ID and Merchant Key as the username and password.
- Validate messages sent to your callback URL before processing them.