During the code review, we'll do a screenshare with you to make sure everything's ready to move into production. Below are some things to prepare for before the review to make sure everything goes smoothly.
1) Make sure your payment flow matches what was described on your Flow of Funds document.
2) Review our KYC requirements. Make sure you're submitting this information. For integration-specific requirements, refer to your Flow of Funds + CIP.
3) Familiarize yourself with ACH transaction times
Security Best Practices:
4) Make sure your site is secure (We require SSL Certificates). Send us your SSL labs report.
5) Use HMAC for Webhooks
6) Securely store & encrypt client_id & client_secret (Here's a suggested way to do so)
7) Don't create passwords when you create a user. (Passwords are only needed for users that will login to SynapsePay's dashboard)
8) Don't store account & routing numbers or online banking logins.
9) Supply real IP addresses for users (when a user is created AND when they create a transaction)
10) Supply fingerprints for your users. If you prefer not to trigger 2FA, supply a hashed fingerprint instead & use our synapsepay.min.js file (step 3 of this post)
11) Use webhooks to stay updated on your transaction statuses
- Please check transaction status & transaction codes.
- Be aware that returns & chargebacks may occur after transactions settle.
- SSN is no match (1111), partial match (3333) or full match (2222)
- Bank added via online banking logins asks more than one MFA question.
- Bank added via online banking logins returns multiple accounts
- Bank added via account/routing number requires micro-deposits
- Receiving transaction codes via webhook (see transaction codes)
- Updating a user's Bank Info
13) Prevent duplicate transactions with idempotency keys.
13) Review requirements for authorizing ACH payments. These include:
14) Let customers know what to expect on their bank statement (Your Business Name + Support Number).
15) Let customers know how to cancel, change or dispute a transaction with you.
16) In the case of a return: If funds were already sent to the recipient, please notify the recipient that we will be debiting those funds back from their account (this reduces the risk of chargebacks)
After the code review:
- Exact name that you want to appear on your customers' bank statements
- Your support line number to include on your customers' bank statements
- List of IP addresses you plan to ping our API with