Report suspected vulnerabilities privately to security@makepay.io.

• Store MakePay keys in Business Manager service credentials.
• Do not expose key secrets in ISML, static JavaScript, or custom preferences.
• Validate basket state server-side before creating payment links.
• Use MakePay webhooks or order reconciliation before fulfillment.