Cashfree Payments delivers a robust suite of security features designed to combat fraud, block unauthorized access, and prevent compliance issues. By safeguarding your payments infrastructure, customer data, and business accounts, we help build lasting trust and support seamless operations. Every layer of our security ecosystem contributes to Cashfree’s industry-leading protection.
  • API security: Protects APIs from unauthorised access and misuse through authentication keys, rate limiting, and secure key management.
  • Merchant experience security: Strengthens account safety with merchant verification, two-factor authentication (2FA), and IP whitelisting.
  • Infrastructure security: Complies with global standards including PCI DSS, ISO certifications, and SOC 2 Type 2 to safeguard systems, data and end-to-end communication security.
  • Payments security: Secures transactions through tokenisation, real-time verification, and verifying bank accounts.
  • Transaction Risk and Fraud: Detects and prevents high-risk transactions using ML-driven fraud monitoring, various checks and Integrations with the Government of India, available within RiskShield by Cashfree.

API security

API security is crucial for protecting merchants from unauthorized access by former employees or malicious actors. Cashfree implements multi-layered defences, including two-factor authentication (2FA), IP whitelisting, unique API keys per product, and role-based access control (RBAC). Authentication keys These keys ensure secure access to Cashfree dashboards and APIs, backed by rigorous safeguards.
  • Merchant authentication: Uses x-client-id and x-client-secret headers as a secure username-password pair. Partners use x-partner-api-key and x-partner-merchantid headers.
  • Unique API keys for every product: Each Cashfree product, like Payments API or Payouts API, requires its own client_id and client_secret. This limits damage from a compromised key. High-risk services like Payouts, Cashgram, and Global Collections also mandate two-step authentication.
  • Role-based access control (RBAC): Account owners can add team members and assign predefined roles such as Finance, Tech, or Support. This controls each user’s permissions and access levels.
  • Secure key generation: API keys must be generated in the production environment using 2FA. Only one key pair can be active at a time for the Payments API. Merchants can whitelist up to 10 keys for Secure ID and up to 25 IP addresses for Payouts.
  • Bearer token authentication: Temporary tokens, obtained via the Authorize API, must be included in session calls for added security.
Know more about how to get a token, Account and Payouts authorisation.

Rate limiting

Rate limiting feature defends against DDoS attacks, enforces fair usage, and isolates suspicious traffic.
  • Limit types: Applied by IP address and account ID for balanced protection.
  • Real-time headers: API responses include x-ratelimit-limit, x-ratelimit-remaining, x-ratelimit-reset, and x-ratelimit-retry.
  • Examples in production:
    • Create Order: 200 requests per minute (account-based)
    • Pay Order: 100 requests per minute (IP-based)
    • Get Payments: 100 requests per minute (account-based)

Secured API key generation and sharing

Keys are generated securely via the merchant dashboard with 2FA, and access is restricted through IP whitelisting or public key cryptography.
  • Dashboard-based generation: API keys are generated through the dashboard with 2FA. Merchants can securely download and store these keys.
  • Dynamic IP support:For non-static IPs, use RSA encryption of clientId.currentTimestamp to create temporary signatures in X-Cf-Signature.

Merchant experience security

These measures safeguard legitimate merchants, boost customer trust, and drive higher conversion rates through secure transactions.

Merchant security and customer trust

  • Merchant verification: Cashfree enforces a strict onboarding and compliance process to verify merchants before enabling payment acceptance.
  • Mandatory 2FA login: Merchants must use 2FA when logging in from a new device or every 30 days, 2FA can be across SMS OTP, email OTP, and Google Authenticator.
  • Maker-checker framework for Payouts: For the high-risk product, Cashfree implements an Initiator-Approver control. This is a separation of duties where one user (“Initiator”) can only request a fund transfer, which must then be approved by a separate user (“Approver”) before funds are disbursed. This is a core fundamental control to prevent internal fraud and significant errors.
  • Trust indicators: Cashfree’s Trusted Business Badge and PCI DSS badges help build trust during checkout. Verified merchants display “Trusted by Cashfree” on checkout pages.
Know more about trust badges and boosting conversion.

Website or application whitelisting

Restricts checkout access to authorized domains and apps
  • Domain and App whitelisting: Merchants must whitelist domains and mobile app package names before using checkout pages.
  • Within 24-hour review process: Websites must include policy pages (such as Contact Us, Terms and Conditions, Refunds and Cancellations) to qualify for whitelisting.

IP whitelisting

IP whitelisting restricts access to the dashboard and APIs to trusted IP addresses.
  • Mandatory IP whitelisting: Merchants must whitelist IPs for production. Only IPv4 addresses are supported for direct IP whitelisting.
  • Dynamic IP alternate: Merchants with dynamic IPs can use public key cryptography for secure API requests as an alternate of whitelisting.

Infrastructure security

Cashfree maintains robust infrastructure security in compliance with global data security standards, including PCI DSS and multiple ISO certifications.

Compliance certifications

Cashfree holds a range of reputable certifications, demonstrating its commitment to industry-leading security, data protection, and quality management standards.
CertificationDescription
PCI DSS v4.0.1 Level 1The highest grade of PCI DSS compliance for secure card data storage and processing.
ISO 27001:2022Information Security Management System certification.
ISO 27017:2015Cloud security services certification.
ISO 27018:2019Protection of Personally Identifiable Information in public cloud.
ISO 9001:2015Quality Management Systems certification.
SOC 2 Type 2Continuous compliance management through automated GRC systems.

Communication security

Cashfree secures communications to protect against tampering and man-in-the-middle attacks.
  • Advanced signature verification: Employs HMAC SHA-256 signature verification and idempotency headers (x-idempotency-key) prevent duplicate processing.
  • Secure webhooks: Webhook signature verification and headers such as x-webhook-timestamp and x-webhook-signature ensure authenticity.
  • Real-time notifications: Automated alerts for settlement status, payment success or failure, and other events.

Cashfree integrity

Cashfree Integrity protects merchants’ applications from tampering and malware.
  • App store verification: Ensures apps are installed only from trusted stores such as Google Play, App Store or brand exclusive store like Samsung’s Galaxy store or GetApps by Xiaomi.
  • Package verification: Confirms installer package authenticity.
  • Tamper prevention: Prevents unauthorised modification and ensuring transactions are passed only from valid applications installed from verified stores, protection against fraudlent successes and fund manipulation.

Payments security

Cashfree uses tokenisation, real-time fraud prevention, and advanced authentication protocols to protect every payment.

Card tokenisation and interoperability

Cashfree tokenisation features protect sensitive card details while maintaining a smooth payment experience.
  • PCI-compliant secure card tokenisation storage: Replaces sensitive card data with a secure, random token stored in a PCI-compliant vault. Eliminates most card-on-file risks while keeping one-click checkout convenience.
  • Interoperability: India’s first interoperable card tokenisation solution. Process card payments across multiple gateways or networks from a single integration point. Learn more about card tokenization.

Seamless and secure authentication

These authentication methods improve transaction success rates without reducing security.
  • 3D Secure 2.0: Advanced authentication protocol for real-time transaction verification.
  • CVV-less security: Uses tokenisation, OTP validation, and 3D Secure to enable secure transactions without CVV entry.

Penny drop verification and cross-border protection

Cashfree verifies accounts and safeguards global transactions.

Transaction risk and fraud

Cashfree RiskShield is India’s first AI and machine learning–based transaction risk analyser. It reduces fraudulent transactions by up to 80% and chargeback-related losses by 50%.

Machine learning model

RiskShield uses AI and machine learning to detect and block suspicious activity.
  • AI/ML-based detection: Analyses more than 1 million data points to detect suspicious payments.
  • Real-time monitoring: Monitors domestic and international transactions.

Network Intelligence and authentication rules

RiskShield uses connected payment identifiers and rules to block organised fraud.
  • Network Intelligence: Uses cross-transaction mapping with Graph DB to block fraud rings.
  • Strong customer authentication logic: Applies 2FA exemptions to certain international payments.
  • Address verification service and CVV-based rules: Applies address verification and CVV rules to assess transaction risk.

Government database integration

RiskShield integrates with multiple government fraud databases.
  • Fraud Risk Indicator (FRI): Connects with the Department of Telecommunications, Indian Cybercrime Coordination Centre, law enforcement, banks, and fintech partners.

Device Intelligence

RiskShield identifies risky devices and blocks suspicious browsers.
  • Device Fingerprinting: Detects repeat fraud attempts from the same device.
  • TOR browser block: Prevents transactions from anonymous browsers often linked to fraud.

Custom rule engine

RiskShield allows you to configure custom rules for fraud prevention. Composite rules, fraud analytics and manual control option
  • Smart limits: Sets velocity checks based on transaction count or volume.
  • Composite rules engine: Creates complex rules to flag or block payments.
  • Rule backtest analysis: Tests rules before deployment to predict impact.
  • Fraud analytics: Provides insights on disputes, chargebacks, and rule performance.
  • Manual review: Allows manual approval for flagged transactions.
Blacklists and Whitelists RiskShield provides tools to block fraud sources and allow trusted customers.
  • Cashfree’s premium and global blacklists: Lists known fraudsters and risky payment sources.
  • My Blacklist: Lets you block specific payment identifiers.
  • My Whitelist: Exempts trusted high-value customers from fraud checks.
  • High-risk countries blocking: Blocks payments from countries with high fraud risk.
Know more about the RiskShield, Fraud Risk Indicator, Risky Transactions, Smart Rules, Blacklists, and Whitelists.