Security
Paymenter Security Model
Threat model and security architecture for Paymenter billing backend
Paymenter is the billing backend for tasmanian.cloud. This document outlines the security model for payment processing, customer data protection, and integration security.
Security Goals
The Paymenter security model aims to provide:
- Confidentiality — Customer payment data and billing information protected
- Integrity — Billing records tamper-evident and accurate
- Availability — Billing system available for invoicing and payments
- Compliance — PCI DSS alignment for payment processing
- Auditability — All financial transactions logged
- Fraud prevention — Detection and prevention of fraudulent transactions
Threat Model
In Scope (Threats We Protect Against)
- Payment card fraud — Stolen cards, chargebacks, testing attacks
- Billing record tampering — Unauthorized modification of invoices
- Payment interception — Man-in-the-middle on payment flows
- Customer data exposure — Leakage of PII or payment methods
- Privilege escalation — Users accessing other customers' billing data
- API abuse — Automated attacks on billing endpoints
- Webhook spoofing — Fake payment gateway callbacks
- Invoice manipulation — Customers modifying invoice amounts
Out of Scope (Threats We Do Not Protect Against)
- Compromised payment gateways — Stripe/PayPal breaches
- Customer endpoint compromise — Keyloggers stealing credentials
- Social engineering — Phishing for admin access
- Insider threats (admin) — Root access to Paymenter server
- Physical server theft — Hardware theft with data
- Cryptographic breaks — Failure of TLS or encryption
- Regulatory non-compliance — Customer's own compliance obligations
- Chargeback fraud — Legitimate customers disputing valid charges
External Threat Overview
Architecture Components
┌─────────────────────────────────────────────────────────────────┐
│ Customer │
│ ┌──────────────┐ ┌──────────────┐ │
│ │ O2S │ │ Browser │ │
│ │ Portal │ │ (Direct) │ │
│ └──────┬───────┘ └──────┬───────┘ │
└─────────┼────────────────┼──────────────────────────────────────┘
│ │
└────────────────┘
│
┌────────▼────────┐
│ O2S Backend │
│ (API Calls) │
└────────┬────────┘
│
┌────────▼────────┐
│ Paymenter │
│ (Internal) │
│ │
│ ┌───────────┐ │
│ │ Billing │ │
│ │ Engine │ │
│ └─────┬─────┘ │
│ │ │
│ ┌─────▼─────┐ │
│ │ Invoice │ │
│ │ Service │ │
│ └─────┬─────┘ │
│ │ │
│ ┌─────▼─────┐ │
│ │ Payment │ │
│ │ Gateway │ │
│ │ Adapter │ │
│ └─────┬─────┘ │
└────────┼────────┘
│
┌─────────────┼─────────────┐
│ │ │
┌────▼────┐ ┌────▼────┐ ┌────▼────┐
│ Stripe │ │ PayPal │ │ Bank │
│(Cards) │ │(Various)│ │Transfer │
└─────────┘ └─────────┘ └─────────┘Trust Boundaries
Untrusted:
- Customer browsers
- Public internet
- Payment gateways ( Stripe, PayPal)
Semi-Trusted:
- O2S backend (makes API calls to Paymenter)
Trusted:
- Paymenter application (internal network only)
- PostgreSQL database (encrypted)
- Redis cache (no sensitive data)
Communication Security
| Connection | Protocol | Authentication | Notes |
|---|---|---|---|
| O2S → Paymenter | HTTPS (TLS 1.3) | API key + IP whitelist | Internal network only |
| Paymenter → Stripe | HTTPS (TLS 1.3) | Stripe API keys | Webhook verification |
| Paymenter → PayPal | HTTPS (TLS 1.3) | OAuth 2.0 | SDK-level encryption |
| Paymenter → DB | TLS 1.3 | Certificate auth | Encrypted connections |
Internal Threat Overview
Payment Processing Flow
┌─────────────────────────────────────────────────────────────┐
│ Payment Processing Flow │
├─────────────────────────────────────────────────────────────┤
│ │
│ 1. Invoice Generation │
│ ├── O2S requests invoice creation │
│ ├── Paymenter calculates amount │
│ ├── Invoice stored in PostgreSQL │
│ └── Invoice ID returned to O2S │
│ │
│ 2. Customer Payment │
│ ├── Customer clicks "Pay Now" in O2S │
│ ├── O2S redirects to Paymenter checkout │
│ ├── Paymenter initiates Stripe/PayPal session │
│ └── Customer enters payment details (on gateway) │
│ │
│ 3. Payment Confirmation │
│ ├── Gateway processes payment │
│ ├── Gateway sends webhook to Paymenter │
│ ├── Paymenter verifies webhook signature │
│ ├── Invoice marked as paid │
│ └── Receipt sent to customer │
│ │
│ 4. Provisioning │
│ ├── Paymenter notifies O2S of successful payment │
│ ├── O2S activates/extends resources │
│ └── Customer gains access │
│ │
└─────────────────────────────────────────────────────────────┘Data Protection
Sensitive Data Handling
| Data Type | Storage | Encryption | Retention |
|---|---|---|---|
| Credit card numbers | Never stored | N/A | N/A |
| Card tokens | In Stripe only | Stripe-managed | Per Stripe policy |
| Customer PII | PostgreSQL | AES-256 at rest | 7 years (tax) |
| Invoices | PostgreSQL | AES-256 at rest | 7 years |
| Payment logs | PostgreSQL | AES-256 at rest | 1 year |
No card data ever touches our servers.
Tokenization
Stripe provides tokens for recurring payments:
// Paymenter stores only the customer ID and payment method ID
$customer = Customer::create([
'email' => $user->email,
'name' => $user->name,
]);
// Store only: cus_abc123 (customer ID)
// Never store: card numbers, CVV, etc.Webhook Security
Payment gateways send webhooks for event notifications:
// Stripe webhook verification
$payload = @file_get_contents('php://input');
$sig_header = $_SERVER['HTTP_STRIPE_SIGNATURE'];
$event = null;
try {
$event = \Stripe\Webhook::constructEvent(
$payload,
$sig_header,
$webhook_secret // Known only to us
);
} catch(\UnexpectedValueException $e) {
// Invalid payload
http_response_code(400);
exit();
} catch(\Stripe\Exception\SignatureVerificationException $e) {
// Invalid signature
http_response_code(400);
exit();
}
// Process verified event
handlePaymentEvent($event);Security properties:
- Webhook secret known only to Paymenter
- Signature verification prevents spoofing
- Idempotency keys prevent duplicate processing
Access Control
Paymenter uses role-based access:
| Role | Permissions |
|---|---|
admin | Full billing system access |
billing | View invoices, process refunds |
support | View invoices, no payment actions |
customer | View own invoices, make payments |
Important: Customers can only access their own billing data (enforced at database query level).
Fraud Detection
Basic fraud prevention measures:
| Check | Action |
|---|---|
| Velocity | Max 3 payment attempts per 10 minutes |
| Amount | Flag invoices >$1000 for review |
| Geography | Block high-risk countries |
| 3D Secure | Required for all cards |
| AVS/CVV | Verify address and CVV match |
Attack Scenarios and Mitigations
Scenario 1: Webhook Replay Attack
Attack: Attacker captures valid webhook and replays it.
Mitigations:
- Webhook signatures include timestamp
- Idempotency keys tracked in database
- Duplicate events ignored
Scenario 2: Invoice Tampering
Attack: Customer modifies invoice amount in URL.
Mitigations:
- Invoice amounts server-calculated
- Cryptographic checksums on invoices
- Any modification detected and rejected
Scenario 3: Payment Gateway Impersonation
Attack: Attacker sends fake webhook claiming payment.
Mitigations:
- Webhook signature verification
- HTTPS only (no HTTP fallback)
- IP whitelist for known gateway IPs
Scenario 4: Database Breach
Attack: Attacker gains access to Paymenter database.
Mitigations:
- No card numbers stored (tokens only)
- PII encrypted at rest
- Database credentials rotated regularly
- Access limited to internal network
Compliance
PCI DSS
Paymenter is designed to minimize PCI scope:
| Requirement | Implementation |
|---|---|
| 1: Firewall | Network segmentation, WAF |
| 2: Default passwords | All defaults changed |
| 3: Stored card data | No card data stored |
| 4: Encrypted transmission | TLS 1.3 everywhere |
| 6: Secure development | Code review, dependency scanning |
| 8: Authentication | Strong passwords, MFA for admins |
| 10: Logging | All payment events logged |
Scope: SAQ A (lowest scope) - card data never touches our servers.
Tax Compliance
- GST calculation and reporting
- Invoice retention (7 years)
- Audit trail for all transactions
Security Controls Summary
| Control | Implementation | Verification |
|---|---|---|
| Card data handling | Tokenization (Stripe) | PCI audit |
| Encryption | TLS 1.3, AES-256 at rest | SSL Labs scan |
| Webhook security | HMAC signature verification | Penetration testing |
| Access control | RBAC with least privilege | Access review |
| Fraud detection | Velocity checks, 3D Secure | Fraud metrics |
| Audit logging | All transactions logged | Log review |
| Database security | Encryption, network isolation | Vulnerability scan |