Encryption
Understand how Chapa protects sensitive payment data during Direct Charge and other payment flows.
Encryption ensures that sensitive payment data exchanged during Direct Charge and other Chapa payment flows is protected from unauthorized access.
Chapa enforces strong encryption standards across all payment operations to protect:
- Customer data (phone numbers, emails)
- Payment references and metadata
- Authorization flows (PIN, OTP, USSD triggers)
Security is a shared responsibility. Chapa secures data in transit and at rest. Merchants must secure data on their side.
Data Protection Model
1. Encryption in Transit
All requests to Chapa APIs must use HTTPS (TLS 1.2 or higher).
This protects:
- API keys
- Payment payloads
- Authorization responses
- Webhook deliveries
HTTP requests are not allowed.
2. Encryption at Rest (Chapa Side)
Chapa encrypts sensitive data at rest, including:
- Transaction records
- Customer identifiers
- References and metadata
- Internal authorization artifacts
This encryption is handled automatically and requires no merchant action.
Sensitive Data Categories
The following data is considered highly sensitive:
| Data Type | Sensitivity |
|---|---|
| API keys (especially secret keys) | Critical |
| Customer PINs | Critical |
| OTP values | Critical |
| Authorization tokens | Critical |
| Bank account numbers | High |
Merchants must never store or log PINs or OTPs.
Authorization Data Handling
When dealing with Direct Charge authorization:
PINs and OTPs must:
- Be collected securely
- Be sent only over HTTPS
- Never be logged, cached, or stored
Authorization values must:
- Exist only in memory
- Be discarded immediately after submission
Never persist authorization data in databases, logs, or analytics tools.
Webhook Security & Encryption
HTTPS Requirement
Webhook endpoints must:
- Use HTTPS
- Be publicly reachable
- Return a
200 OKresponse
Payload Integrity
Webhook payloads:
- Are delivered over TLS
- May include shared secrets or signatures (if enabled)
Always verify webhook origin before processing events.
API Key Security
Best Practices
| Do | Don't |
|---|---|
| Store API keys in environment variables | Expose secret keys in frontend code |
| Rotate keys periodically | Commit keys to version control |
| Use test keys in Test Mode only | Share keys across environments |
Frontend Encryption (If Applicable)
If you collect customer data in the browser:
- Always use HTTPS
- Avoid exposing sensitive logic
- Delegate sensitive operations to your backend
- Use Chapa-hosted checkout where possible
Compliance & Standards
Chapa aligns with common industry best practices, including:
- Secure transport (TLS)
- Principle of least privilege
- Secure credential management
- Transaction and audit logging
For high-risk or regulated businesses, additional controls may apply.
Common Security Mistakes to Avoid
| Mistake | Risk |
|---|---|
| Logging full request or response payloads | Exposes sensitive data |
| Storing PINs or OTPs | Compliance violation |
| Exposing private API keys | Account compromise |
| Using HTTP for webhooks | Data interception |
| Reusing expired authorization data | Failed transactions |
Next Steps
- Initiate Payment - Start a Direct Charge
- Authorize Payment - Complete authentication
- Webhooks - Secure webhook handling