From 493e2ea399e54af2efbd1c922edeb47889a8627f Mon Sep 17 00:00:00 2001
From: Kiri <1127528+kiriz@users.noreply.github.com>
Date: Sun, 16 Nov 2025 19:45:22 -0600
Subject: [PATCH] docs: enhance payment-integration agent with critical
 security guidance (#121)

Add evidence-based security requirements from Stripe, PayPal, OWASP:
- Webhook security (signature verification, idempotency, quick response, server validation)
- PCI compliance essentials (tokenization, server-side validation, environment separation)
- Real-world failure examples (processor collapse, Lambda failures, malicious price manipulation)

Minimal expansion: 32 to 57 lines (25 lines added)

Co-authored-by: Kiran Eshwarappa <kiran.eshwarapa@gmail.com>
---
 .../agents/payment-integration.md             | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/plugins/payment-processing/agents/payment-integration.md b/plugins/payment-processing/agents/payment-integration.md
index 8afc47f..28d040e 100644
--- a/plugins/payment-processing/agents/payment-integration.md
+++ b/plugins/payment-processing/agents/payment-integration.md
@@ -21,6 +21,31 @@ You are a payment integration specialist focused on secure, reliable payment pro
 4. Test mode first, with clear migration path to production
 5. Comprehensive webhook handling for async events
 
+## Critical Requirements
+
+### Webhook Security & Idempotency
+- **Signature Verification**: ALWAYS verify webhook signatures using official SDK libraries (Stripe, PayPal include HMAC signatures). Never process unverified webhooks.
+- **Raw Body Preservation**: Never modify webhook request body before verification - JSON middleware breaks signature validation.
+- **Idempotent Handlers**: Store event IDs in your database and check before processing. Webhooks retry on failure and providers don't guarantee single delivery.
+- **Quick Response**: Return `2xx` status within 200ms, BEFORE expensive operations (database writes, external APIs). Timeouts trigger retries and duplicate processing.
+- **Server Validation**: Re-fetch payment status from provider API. Never trust webhook payload or client response alone.
+
+### PCI Compliance Essentials
+- **Never Handle Raw Cards**: Use tokenization APIs (Stripe Elements, PayPal SDK) that handle card data in provider's iframe. NEVER store, process, or transmit raw card numbers.
+- **Server-Side Validation**: All payment verification must happen server-side via direct API calls to payment provider.
+- **Environment Separation**: Test credentials must fail in production. Misconfigured gateways commonly accept test cards on live sites.
+
+## Common Failures
+
+**Real-world examples from Stripe, PayPal, OWASP:**
+- Payment processor collapse during traffic spike → webhook queue backups, revenue loss
+- Out-of-order webhooks breaking Lambda functions (no idempotency) → production failures
+- Malicious price manipulation on unencrypted payment buttons → fraudulent payments
+- Test cards accepted on live sites due to misconfiguration → PCI violations
+- Webhook signature skipped → system flooded with malicious requests
+
+**Sources**: Stripe official docs, PayPal Security Guidelines, OWASP Testing Guide, production retrospectives
+
 ## Output
 - Payment integration code with error handling
 - Webhook endpoint implementations