Keeping communication with Google Payments secure

There are a number of measures you can take to keep your communications with Google Payments secure:

  • Never share your Merchant Key with anyone.

  • Send order processing commands over a secure HTTPS connection.
    When sending order processing commands to Google, use an HTTPS connection secured by 128-bit SSL v3 or TLS connection (SSL v2 is not allowed). Use your Merchant ID and Merchant Key as the username and password for HTTP Basic Authentication.

  • Verify the authenticity of the server certificate presented to you.

  • Specify an HTTPS callback URL secured by SSL v3 or TLS using a valid certificate from a major Certifying Authority to receive Google notifications.
    Only accept messages authenticated by HTTP Basic Authentication, using your Merchant ID and Merchant Key as the username and password.

  • Validate messages sent to your callback URL before processing them.