--- title: Pay by Points Integration Best Practices slug: pay-by-points/integration-best-practices excerpt: >- Learn the best practices to follow before beginning with the Pay by Points integration. sidebar_order: 1 metadata: title: Pay by Points Integration Best Practices – Pine Labs Online description: >- Security, TLS, signature verification, webhook configuration, and integration best practices for Pay by Points with Pine Labs Online. robots: index hidden: false sidebar_label: Integration Best Practices --- Learn the best practices to follow before beginning with the integration. [Overview](../pay-by-points) | [Integration steps](integration-steps) --- ## Best practices 1. **Verify Signature to Avoid Data Tampering:** We recommend this as a mandatory step to confirm the authenticity of the details returned to you on the return URL for successful payments. Refer to our [signature verification](/developer-tools/webhooks/signature-verification) documentation to learn more. 2. **Fetch Order Status:** Use our [Get Orders API](/api/orders/get-order) from the backend to check the order/payment status before providing service to the customers. Refer to our [payments life cycle](/docs/payment-life-cycle) documentation to learn more. 3. **Configure Webhooks:** Contact our [support team](mailto:pgsupport@pinelabs.com) to configure webhook events to avoid callback failures. Refer to our [webhook](/developer-tools/webhooks) documentation to learn more. 4. **Implement Flexible JSON Parsing:** We recommend designing your systems to gracefully ignore any additional or unknown fields in the JSON payload during integration. - This ensures forward compatibility as our platform evolves or introduces new optional fields. - Aligns with industry-standard robust API design principles, preventing integration issues from unexpected data. **Example — Flexible JSON Handling:** ```json { "transactionId": "TXN123456", "amount": 10000, "currency": "INR", "extraField": "IgnoreThisNode" } ``` **Expected Handling:** Process the known fields (`transactionId`, `amount`, `currency`) and gracefully ignore the `extraField`. 5. **Avoid Hardcoding Parameters:** To ensure a scalable integration, do not hardcode values such as API keys, environment flags, or identifiers in your system while integrating. - Hardcoded values increase the risk of failures when changes occur on the platform. - Using configuration files or environment variables makes your integration easier to maintain and adapt across environments (e.g., sandbox vs production). 6. **Transport Layer Security (TLS) Version:** We recommend you use `TLS_v_1.2` or higher TLS versions to avoid any transaction failures. 7. **Conduct Sanity Testing:** Before fully implementing TLS 1.2 and updating the cipher suites, perform application testing to confirm seamless communication across systems and applications within your environment. 8. **Implement Strong Cipher Suites:** Configure TLS-enabled services to use only strong cipher suites with robust encryption algorithms and key exchange mechanisms. All other ciphers should be disabled. --- ## Accepted ciphers - `TLS_AES_128_CCM_8_SHA256` - `TLS_AES_128_CCM_SHA256` - `TLS_ECCPWD_WITH_AES_128_CCM_SHA256` - `TLS_ECCPWD_WITH_AES_256_CCM_SHA384` - `TLS_ECDHE_ECDSA_WITH_AES_128_CCM` - `TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8` - `TLS_ECDHE_ECDSA_WITH_AES_256_CCM` - `TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8` - `TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256` - `TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256` - `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` - `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` - `TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256` - `TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384` - `TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256` - `TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384` - `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256` --- ## UAT testing notes > **Note:** > - You can only test Credit/Debit Cards, Net Banking (via SBI), Cross Border, and Pay by Points on UAT/Staging Environment. > - UPI payments are processed in real-time, even in the UAT environment. Please test using a minimal transaction amount. > - Production credentials will be shared with you after UAT sign-off, to test all flows in the soft production environment before going live. > - Please share the Return and webhook URL for configuration and whitelisting before going Live. > - For any incremental updates or support related to integration, please contact our [Integration Team](mailto:pgintegration@pinelabs.com).