Guide

Security Best Practices

Integrating with the MIDSuite Client API involves transmitting payment and identity-related information. Proper security practices are essential to protect customer data, maintain regulatory compliance, and reduce the risk of fraud or data exposure.

This section outlines recommended practices for securing your integration.

Protecting API Keys

Your API key authenticates requests to the MIDSuite API. Treat it as a high-sensitivity secret.

Store API Keys Securely

API keys should never be stored in source code or committed to version control.

Recommended storage methods:

  • Secure environment variables

  • Secrets managers (AWS Secrets Manager, HashiCorp Vault, etc.)

  • Encrypted configuration storage

  • Server-side configuration files outside the web root

Avoid:

  • Hardcoding keys in frontend code

  • Embedding keys in mobile applications

  • Storing keys in plaintext configuration files

Restrict Key Exposure

API requests must always originate from trusted backend systems. Client-side applications should never call the MIDSuite API directly.

Correct architecture:

Client → Your Backend → MIDSuite API

This ensures your API key remains private.

Rotate Keys Periodically

Regular API key rotation reduces the risk associated with accidental exposure.

Recommended practices:

  • Rotate keys periodically according to your internal security policy

  • Immediately rotate keys if compromise is suspected

  • Avoid reusing keys across environments (sandbox vs production)

Transport Security

All API requests must be sent over HTTPS.

TLS encryption ensures:

  • Card and identity data remain confidential during transit

  • Requests cannot be modified in transit

  • API credentials are protected from interception

Requests sent over unsecured HTTP are not supported.

PCI Considerations

Many integrations involve handling payment card data. Integrators must ensure their systems comply with PCI DSS requirements applicable to their environment.

Key recommendations:

Limit Card Data Handling

Where possible:

  • Avoid storing full card numbers

  • Do not persist CVV values

  • Transmit card data only when required for a transaction

Secure Transmission

Ensure card data is:

  • Sent only over encrypted connections

  • Processed only by secure backend services

  • Never logged or exposed in error messages

Logging Best Practices

Application logs should never include sensitive fields, such as:

  • Card numbers

  • CVV values

  • Identity document numbers

  • Full customer personal data

If logging requests for debugging purposes, redact or mask sensitive values.

Example masking pattern:

411111******1111

Minimizing Sensitive Data Retention

Reducing the amount of stored sensitive data significantly lowers security risk.

Recommended practices:

  • Store only data required for business operations

  • Remove temporary transaction data once processing is complete

  • Avoid storing identity verification documents or numbers unless necessary

If retention is required:

  • Encrypt sensitive data at rest

  • Restrict access to authorized systems and personnel

  • Implement audit logging for data access

Network Security Controls

Restricting network access to your integration environment improves overall security.

IP Allowlisting

If your infrastructure supports it, limit outbound API access to trusted servers.

Best practice:

  • Only backend servers performing fraud checks should access the API

  • Prevent developer workstations or untrusted environments from making production requests

Firewall and Egress Controls

Use network policies or firewall rules to restrict outbound traffic so that only necessary services can communicate with MIDSuite endpoints.

Environment Separation

Maintain strict separation between sandbox and production integrations.

Recommended practices:

  • Use separate API keys for each environment

  • Do not send real customer data to sandbox

  • Ensure production credentials are never used in development environments

Monitoring and Incident Response

Security monitoring helps detect abnormal behavior quickly.

Recommended practices:

  • Monitor API usage for unusual traffic patterns

  • Alert on unexpected request spikes or geographic anomalies

  • Log request identifiers to support troubleshooting

If a security issue is suspected:

  1. Immediately rotate affected API keys

  2. Review API request logs

  3. Investigate potential exposure points in your infrastructure

Secure Development Practices

Finally, ensure your integration follows general secure development standards.

Recommended practices include:

  • Regular dependency updates

  • Code review for security risks

  • Automated vulnerability scanning

  • Secure secrets management

  • Access control for infrastructure and CI/CD systems

Following these practices helps ensure your integration remains secure while processing sensitive payment and identity verification data through the MIDSuite platform.

Previous
Data Models & Field Semantics
Next
Performance & Reliability