How safe is your money with Instamojo? Absolutely safe! Security and privacy related queries.
Instamojo servers are encrypted by the 128 bit AES(Advanced Encryption Standard) Encryption.
That simply means that when you are on Instamojo.com and entering any detail whatsoever, all your data is first encrypted on the server which further means it is cryptographically difficult to pass through your data, if in case anyone wants to break in.
Instamojo is compliant with Payment Card Industry Data Security Standards as a measure to make sure that the transaction data are 100% safe with Instamojo.
If you want to learn more about what PCI DSS compliance means,please read this article on wiki.
Your security is our priority. These are the steps we take to ensure your security:
** **
To ensure that your read-only fields cannot be tampered with, you can sign your links using the procedure below.** **
Note 1:
To do this, you’ll need the salt for your Instamojo account.
You can get this by logging into your Instamojo account and visitinginstamojo.com/developers.
To enable signature for a link, please contact us at support@instamojo.com.
If you do not, anyone can remove the URL query-string parameters and be able to make a payment with a value that is less than what you expect.
Once permanent tamper-proofing is enabled, we will refuse to accept payments on links that are not signed.
Tamper-proofing step by step example
For the purpose of this example, we assume you’re trying to make the following link tamper-proof:
https://www.instamojo.com/demo/demo-offer/?data_name=Aditya+Sengupta&data_email=aditya@instamojo.com&data_phone=9821485060& data_amount=123.45&data_readonly=data_name&data_readonly=data_email&data_readonly=data_phone&data_readonly=data_amount
If you have any keys with upper-case letters, convert them to lower-case letters first. In this example, you would get the following order: (a) data_amount (b) data_email (c) data_name (d) data_phone
In this example, you would get the values below in the following order: (a) 123.45 (b) aditya@instamojo.com (c) Aditya Sengupta (d) 9821485060
Using the above example, you get the following string: 123.45|aditya@instamojo.com|AdityaSengupta|9821485060 4. Use the above string as the message for the HMAC-SHA1 algorithm5 and the salt for your Instamojo account as the salt for the algorithm. The output of this will be the signature we need.
For example, if your salt is “abcde”, the signature you would generate using the string from the previous step as the message is: 6f905be9811990707f9d833da8e93bfebb23abbc Once you have the signature using the above procedure, you add it as the value of the data_sign key in the URL.
The URL would then be:
https://www.instamojo.com/demo/demo-offer/?data_readonly=data_name&data_readonly=data_email&data_readonly=data_phone&data_readonly=data_amount&data_sign=6f905be9811990707f9d833da8e93bfebb23abbc&data_email=aditya@instamojo.com&data_amount=123.45&data_name=Aditya+Sengupta&data_phone=9821485060
Note that the above URL will not actually work since the salt for the demo account is not actually “abcde”.
Don’t forget to URL encode the query-string parameters!** **
Live example
The following url has tamper-proofing enabled:
Try modifying any of the parameters and the link will throw an error.** **
Eg: Below is the case when the amount has been changed to 50 (from 123.45), the link doesn’t work.
For any questions, emailsupport@instamojo.com
