Best Practices

Last edit: Apr 11, 2022

TerraPay provides a full-service API that can be integrated once as a solution to various businesses requiring cross border money transfers. TerraPay’s API can be plugged in seamlessly ensuring that only minimal modifications are required in the partner’s systems.

We have listed the best practices that the developers can consider during integration to ensure seamless implementation.

API

Protect API credentials:

The following points are the best practices to ensure that the API key is secure:

  • Do not embed API credentials directly in code.
  • Do not store API credentials in files inside your application's source tree.
  • Set up application and API key restrictions.
  • Delete unneeded API credentials to minimise exposure to attacks.
  • Regenerate your API credentials periodically.
  • Encrypt the password when stored in the database or flat files.
Rotate API credentials:

The API credentials associated should be rotated/re-generated on a periodic rolling basis. It is generally recommended to re-create the API credentials periodically.

Least API privilege:

Every API consumer should operate with minimal permission required to access and execute the API. This limits the damage incurred by an accident or error related to the consumer.

Complete mediation:

Access to all resources of the API system from your client application should be always validated. Every endpoint should be designed with an authorizationmechanism that brings security considerations to a system-wide level.

Fail-safe API defaults:

Access to any API resource/endpoint should be denied by default and granted access only for specific permission.A secure API design should follow the rule "when access should be granted" rather than "when access should be restricted".

API defence:

The Application/API design should include multiple layers of control making it harder to exploit the underlying API. Limiting server access by whitelisting known IP addresses, imposing two-factor authentication are a few techniques to increase the depth of the API security practice.

Data Encryption and Protection

Data encryption is of paramount importance for financial transactions. Data encryptions should not be restricted to only the account details pertainingto the transactions but should also include KYC and PII data.

Data at rest and data in motion are at equal risks and should be encrypted accordingly. Best practices to consider while implementing are

Proactive protection:

Businesses should identify which data is at risk and build proactive defence mechanisms rather than having a reactive approach.

Smart classification equals smart protection:

Effective protection measures can be considered when the data is categorised based on its risk profile in every state.

Build solid basics:

Solid basics like firewall and authentication are effective in protecting against malicious attacks.

Manage the right to access:

Restrict access to data by providing the least privileged access.

Full disk encryption:

Ensure encryption is not restricted to data alone but is extended to the disk as well.

Identity management:

Implement a zero-trust policy to ensure the users are authenticated.

Audit Trail

Transaction Audit trail:

To implement a robust and effective audit trail for compliance and monitoring the following points are to be considered as a key factors.

  • Audit only what is necessary. The basic information that needs to be audited are
    • User and Terminal IDs
    • Successful and failed attempts to access systems, data, or applications
    • Transactions
    • Exceptions and other security-related events
    • Date and time (for log on/off and other key events)
    • Changes to security configurations
  • Audit trail should consider all the information that is required by different stakeholders.
  • Report and Review: Review periodically to verify if the information audited meets the business needs and is error-free. The audit log should answer the following questions
    • Who performed this activity?
    • Under what circumstances (location, date…)?
    • What were the data that were accessed/impacted?
    • Who gave this user permission to do so?
    • Who else would perform the same action at the same point in time?
  • Data maintenance:
    Audit trail creates data that requires maintenance. Make sure to develop a retention policy for the audit trail data. Note that different data might have a different policy.
  • Administrative users:
    Ensure auditing is thorough for administrative users. Review of admin logs should be done more frequently.
System logs:

Ensure to create logs for system components. A few components that need to be monitored and a log should be created are:

  • Database audit logs
  • Network logs
  • Operating system logs

User Interface

An online user experience to deliver the solution that meets the customer's expectations is of vital importance to any business. A guideline on implementing an effective user interface is given below:

Security by Design

A key aspect of security is to verify that the users are who they say they are! This can be achieved by implementing Two-factor Authentication(2FA). 2FA is implemented to better protect the user’s credentials and the resources that the user can access.

Given below are the factors that can be adopted for computing:
Knowledge factor:

What the user knows, such as a password, a personal identification number (PIN) or some other type of shared secret.

Possession factor:

What the user has, such as an ID card, a security token, a cell phone, a mobile device, or a smartphone app, to approve authentication requests.

Biometric (Inherence) factor:

What is inherent in the user's physical self. Facial and voice recognition or behavioural biometrics.

Location factor:

Where the user is from; which location an authentication attempt is being made. This can be enforced by tracking the Internet Protocol address or geolocation information, such as Global Positioning System (GPS) data, derived from the user's mobile phone or other devices.

Time factor:

restricts user authentication to a specific time window in which logging on is permitted and restricts access to the system outside of that window.