Zoho Payment Gateway-India Payment Gateway Webhook Setup Guide

Payment Gateway Webhook Setup Guide for India

Introduction to Webhooks in Indian Payment Gateways

Webhooks are automated HTTP callbacks that notify your server about payment events in real-time. For Indian payment gateways like Razorpay, PayU, Paytm, CCAvenue, and others, webhooks are essential for handling asynchronous payment notifications.

Common Use Cases for Webhooks

• Successful/failed payment notifications
• Refund status updates
• Subscription/recurring payment alerts
• Dispute/chargeback notifications

Step-by-Step Setup Guide

1. Choose Your Payment Gateway Provider (Examples)

• Razorpay: Popular for startups and SaaS companies
• PayU: Widely used by e-commerce businesses
• Paytm: Preferred for mobile-first applications
• CCAvenue: Common with enterprise merchants

2. Prerequisites Before Setup:

• Production-ready website with HTTPS (SSL certificate)
• Server capable of receiving POST requests (Node.js/PHP/Python/Java etc.)
• Admin access to your payment gateway dashboard

3. Configuration Steps:

For Razorpay:

1. Log in to your Razorpay Dashboard → Settings → Webhooks
2. Click "Add New Webhook"
3. Enter URL endpoint (e.g., https://yourdomain.com/webhook/razorpay)
4. Select relevant events: payment.captured, payment.failed, etc.
5. Add secret key (optional but recommended)
6. Test the webhook using test mode before going live

For PayU Money:

1. Go to Merchant Dashboard → Integration → API Integration
2. Navigate to "Webhook Settings"
3. Add callback URL with HTTPS protocol only
   4.Select transaction statuses: Success/Failure/Pending/etc.
   5.Generate salt/key pair if required

For CCAvenue:

1.Access Merchant Panel → Service Integration Tab
2.Locate "Instant Transaction Notification" section
3.Input notification URL format:
https://yourdomain.com/ccavenuenotify?order_id=xxxxx
4.Set encryption parameters matching your implementation

4.Webhook Implementation Best Practices:

Security Measures:

# Example Python verification snippet (Razorpay) 

import hmac 

import hashlib 



def verify_webhook_signature(body, signature):

    secret = 'your_webhook_secret'

    generated_signature = hmac.new(secret.encode(), body.encode(), hashlib.sha256).hexdigest()

    return generated_signature == signature

    

# Usage    

is_valid = verify_webhook_signature(request.body.decode('utf-8'), request.headers['X-Razorpay-Signature'])

Essential Checks:
1.Source IP validation against gateway’s whitelist IPs
2.HTTPS enforcement with TLS ≥ 1.2
3.Idempotency handling via unique event IDs

Testing & Troubleshooting:

Issue	Solution
No calls received	Check firewall settings; Verify DNS resolution
Invalid signatures	Reconfirm shared secret; Validate encoding
Duplicate events	Implement idempotency keys/database deduplication

Compliance Requirements Specific to India:

1.RBI mandates all transactions must have final confirmation via server-to-server notification
2.PCI-DSS compliance required if storing any card data temporarily
3.Data localization rules apply—ensure processing stays within India where required

Would you like me to elaborate on any specific aspect of this setup process or provide code samples for a particular programming language?

Advanced Payment Gateway Webhook Implementation for India

Handling Different Payment Gateway Protocols

1. Signature Verification Methods by Provider

Razorpay (HMAC-SHA256):

// Node.js verification example

const crypto = require('crypto');



function verifyRazorpayWebhook(body, razorpaySignature) {

  const secret = process.env.RAZORPAY_WEBHOOK_SECRET;

  const expectedSignature = crypto

    .createHmac('sha256', secret)

    .update(JSON.stringify(body))

    .digest('hex');

  

  return expectedSignature === razorpaySignature;

}

PayU (SHA-512 with Salt):

// PHP verification example for PayU

$hashSequence = "key|txnid|amount|productinfo|firstname|email||||||||||";

$hashSequence .= $SALT; // Your merchant salt from dashboard



if(strtolower($hash) != strtolower(hash('sha512', $hashSequence))) {

  // Reject unauthorized webhook call

}

2. Database Design Considerations

Create these tables for proper webhook handling:

payment_webhooks (

  id BIGINT PRIMARY KEY,

  gateway ENUM('razorpay','payu','ccavenue'),

  event_id VARCHAR(255) UNIQUE,      # Gateway's event identifier 

  event_type VARCHAR(50),

  

)



payment_transactions (

  



)

Country-Specific Requirements Implementation

RBI Mandate Compliance Code Example:

def handle_rbi_compliance(payment_data):

    

        if not payment_data.get("utr"):

            raise Exception("UTR number missing - violates RBI guidelines")

        

        if payment_data["currency"] != "INR":

            raise Exception("Forex transactions require additional compliance checks")

            

        # Store in India-located datacenter if required

        

        

        

Transaction Reconciliation Process