pelecard-payment-gateway
Audited by Socket on Jun 13, 2026
1 alert found:
Obfuscated FileThe integration model is sound in prioritizing server-side verification and deduplication, with a strong stance against trusting IPNs alone. Key security concerns to verify in implementation include protecting Phase-1/ConfirmationKey storage, securing PelecardTransactionId and DebitTotal within GetTransaction flows, robust idempotency and replay protection, strict least-privilege handling for credentials, careful logging controls, and explicit controls around ActionType handling to prevent silent mischarging. Given the complexity and breadth of features (tokenization, 3DS2, Apple Pay, refunds, and reconciliation), the supply-chain risk is medium to high if proper controls are not enforced; ensure explicit cryptographic validation of IPNs where applicable, secure storage and rotation of secrets, and comprehensive monitoring for anomalous flows.