Security controls in place
Paylead is implementing a subset of mechanisms to ensure safe implementation and use of its APIs.Encryption
Encryption
Paylead enforce use of cryptography with strong algorithms and parameters.
- In transit. All API endpoints and Webhooks use TLS 1.2 or higher with secured ciphersuites.
- At rest. Paylead encrypts stored data with industry-standard cryptography.
Authentication & Access control
Authentication & Access control
Program Managers interact with Paylead either through the Shift web portal, or directly with the Paylead API.
- Role-based access is enforced on Shift Portal. Refer to Sign in and users for more information on available roles.
- When resources are requested through API, the application backend enforce authorization check prior to process the operation.
Password policy
Password policy
While Paylead is implementing Single Sign-On (SSO) authentication for most of its web portals, password-based authentication may be used on the Shift portal (while not recommended).Minimal password requirement are enforced, as follow:
- minimal lengh of 14 characters
- at least 4 type of characters (uppercase, lowercase, digit, special)
- password must not includes the username
User session duration on Web interfaces
User session duration on Web interfaces
While Paylead APIs are stateless, mechanisms are implemented to control duration of validity of user sessions.
- When authenticated with SSO, active session are handled by the IDP server and remains valid during 30 minutes.
- In password-based authentication mode, all calls performed from the Shift web portal are authenticated with authorization http header. JWT bearer tokens remains valid during 8 hours.
Protection against web threats
Protection against web threats
- APIs are filtered with a Web Application Firewall and Rate limits are implemented.
- Security headers baseline is enforce on every API endpoints. Web interfaces enforce Content-Security-Policy as well.
- The Google Recaptcha solution is implemented on web interfaces with password-based authentication.
Webhook integrity
Webhook integrity
Webhooks carry an HMAC-SHA256 signature so your back-office can verify each event was emitted by Paylead. Each event also carries an
event_id to enable idempotent processing on your side.Report a vulnerability
At Paylead, we are eager to protect our customers data and ensure the security of our services at all times. We are deeply grateful to researchers and our community who report issues so that we can coordinate a fix and responsible disclosure. All reports are thoroughly investigated internally. If you would like to report a potential weakness, you can contact us at the following address: vulnerabilities@paylead.fr You may encrypt your report to this list using the GPG key of Security team. Encryption using GPG is NOT required to make a disclosure.GPG key
GPG key
- You think you discovered a potential security vulnerability in Paylead’s APIs or services
- You are unsure how a vulnerability affects Paylead’s APIs or services
- You think you discovered a vulnerability in another project that Paylead may depends on
What’s next
API reference
Browse the Program API endpoints and download the OpenAPI specs.
WebApp (MFP)
Embed the Paylead WebApp inside your bank mobile app.