OnCharge
Start Application

Security

Built with a security-first architecture. Every integration point is authenticated, signed, and monitored.

Authentication

  • HMAC-SHA256 request signing on all merchant API calls
  • 5-minute timestamp window with timing-safe comparison
  • API key rotation with 14-day grace window
  • Supabase Auth (JWT) for dashboard access

Transport

  • HSTS with includeSubDomains and preload
  • TLS 1.2+ enforced on all endpoints
  • X-Content-Type-Options: nosniff
  • Strict Referrer-Policy

Content Security

  • default-src none on checkout pages
  • Per-store frame-ancestors allowlist (no wildcards)
  • DNS-based domain ownership verification
  • postMessage origin + session_id + nonce validation

Payment Data

  • Card fields rendered inside PSP-provided iframes
  • Raw card numbers never stored on OnCharge servers
  • PCI-aware design — not a PCI certification claim
  • Session tokens are HMAC-signed with 30-minute TTL

Webhooks

  • HMAC verification on all inbound PSP webhooks
  • Deduplication keys prevent double-processing
  • Fast ACK (< 100ms) with deferred durable processing
  • Unverified events flagged in the database

Monitoring

  • Immutable audit log for all security events
  • Stuck session monitoring view
  • Daily compliance scans on merchant sites
  • Global blocklist with HMAC-hashed identifiers

OnCharge does not claim PCI DSS certification. Card data is tokenized and handled entirely by our PSP partners. Our architecture is designed to minimize PCI scope for merchants (SAQ-A eligible when using iframe integration).