Security
QuantaPay is designed with security as a core principle. This page explains our security model and best practices for merchants.
QuantaPay is designed with security as a core principle. This page explains our security model and best practices for merchants.
Non-Custodial Model
QuantaPay is fully non-custodial. This means:
- We never hold your funds. Payments go directly from the customer's wallet to your wallet address.
- We never have access to your private keys. You maintain full control of your wallets.
- No withdrawal process. Funds are in your wallet as soon as they're confirmed on the blockchain.
How It Works
- You configure your wallet addresses in QuantaPay settings.
- When a customer pays, QuantaPay shows them your wallet address and the required amount.
- The customer sends cryptocurrency directly to your wallet.
- QuantaPay monitors the blockchain for the transaction and confirms it.
- QuantaPay notifies you via webhook when the payment is confirmed.
At no point does QuantaPay have custody of or access to your funds.
Fake Token Protection
QuantaPay includes built-in protection against fake token attacks:
- Contract address verification: For ERC-20 and BEP-20 tokens, QuantaPay verifies the token's smart contract address to ensure it matches the expected token.
- Amount verification: Transaction amounts are verified against the expected payment amount.
- Blockchain confirmation: Payments must reach the configured number of blockchain confirmations before being marked as complete.
What is a Fake Token Attack?
Attackers may create tokens with the same name (e.g., "USDT") but a different contract address. If a payment system only checks the token name and not the contract address, it could accept worthless tokens as payment. QuantaPay verifies the actual contract address to prevent this.
API Security
API Key Authentication
All API requests require your API key. Keep it confidential:
- Never expose it in client-side JavaScript
- Don't commit it to public repositories
- Rotate it if compromised (Settings → Account)
HMAC Signature Verification
For checkout session creation, you can add HMAC-SHA256 signatures to prevent request tampering:
- Signatures use your Webhook Secret Key
- Timestamps prevent replay attacks (5-minute window)
Webhook Verification
Incoming webhooks include your Webhook Secret Key in the payload. Always verify this matches your stored secret before processing.
Best Practices for Merchants
1. Use HTTPS Everywhere
- Your webhook endpoint must use HTTPS
- Your website should use HTTPS for embedding payment forms
2. Secure Your API Keys
- Store API keys in environment variables, not in code
- Use server-side code for API calls, never client-side
- Rotate keys periodically
3. Verify Webhooks
- Always check the
keyfield in webhook payloads - Implement idempotent webhook handlers (prevent double-processing)
- Log all incoming webhooks for audit trails
4. Use Appropriate Confirmations
- For low-value transactions (< $50): 1-3 confirmations
- For medium-value ($50-$500): 3-6 confirmations
- For high-value (> $500): 6+ confirmations, or enable High-Value Confirmation Increase
5. Monitor Your Dashboard
- Check the Transactions page regularly
- Enable email notifications for key events
- Review underpayment and expired transactions
6. Keep Software Updated
- Update the WordPress plugin when new versions are available
- Monitor the changelog for security fixes
Data Privacy
- QuantaPay only stores data necessary for transaction processing.
- Customer wallet addresses are visible on the public blockchain.
- No personal financial data (bank accounts, credit cards) is collected.
- Transaction data is retained for reconciliation purposes.