M-Pesa Integration Security: The Three Gaps Most Developers Miss

M-Pesa integrations are one of the most common technical projects for Kenyan businesses — and one of the most commonly done wrong. Not wrong in a way that stops the integration working. Wrong in a way that leaves it open to fraud, manipulation or data exposure.

Most integrations are built to go live fast. The business needs to accept payments. The developer builds the Daraja API integration, tests the happy path, and deploys. Security is an afterthought — or not a thought at all.

The three most common M-Pesa security gaps

1. Hardcoded API credentials

The Daraja API requires a Consumer Key and Consumer Secret. These credentials authenticate your application to Safaricom's servers. In a staggering number of Kenyan applications, these credentials are hardcoded directly into the source code — sometimes committed to public GitHub repositories.

A hardcoded API credential in a codebase that has ever been shared, pushed to a repository, or accessed by more than one developer is effectively a public credential. Anyone with access to that code can impersonate your application, initiate transactions and drain your Paybill balance.

The fix: credentials stored in environment variables or a secrets manager, never in code. Rotation policy defined. Access logged.

2. No webhook signature validation

When a customer pays via M-Pesa STK Push, Safaricom sends a callback (webhook) to your server to confirm the transaction. Many integrations simply trust this callback — if it arrives at the right URL, the system marks the order as paid.

The problem: anyone who knows your callback URL can send a fake payment confirmation. Your system marks orders as paid without any money moving. This is not a theoretical attack — it is a well-documented fraud pattern in Kenyan e-commerce.

→Validate the Safaricom callback signature on every request

→Verify the transaction amount server-side against the expected order value

→Cross-reference with Safaricom's transaction query API before fulfilling high-value orders

→Log all callbacks — matched, unmatched and suspicious

3. No transaction reconciliation

Fraud in M-Pesa integrations doesn't always happen via the API. Sometimes it happens in the gap between what Safaricom reports and what your system records. Without automated reconciliation, that gap goes undetected.

A Kenyan logistics company we reviewed had been processing transactions for 14 months without reconciliation. When we ran the first reconciliation report, there was a KES 380,000 discrepancy. Half of it was a system bug. The other half was unexplained.

What a properly secured M-Pesa integration looks like

✓Consumer Key and Secret stored in environment variables or vault

✓All credentials rotated on a defined schedule

✓Webhook signature validation on every callback

✓Amount and phone number validated server-side before order fulfillment

✓Automated reconciliation — Safaricom records vs internal records — daily

✓Velocity rules — alerts on unusual transaction patterns

✓Access control — only authorised staff can initiate reversals

✓Audit log — all API calls, callbacks and admin actions logged

✓KDPA alignment — transaction data handled per data protection requirements

When to review your M-Pesa integration

You should conduct a security review of your M-Pesa integration if:

→The integration was built more than 12 months ago and has never been reviewed

→More than one developer has had access to the source code

→The application is hosted on a shared server

→You have never run a reconciliation report

→You don't have rate limiting on your callback endpoint

→You are about to scale transaction volume significantly

A security review doesn't require taking the integration offline. We audit what's live, identify vulnerabilities, and provide a prioritised remediation report.

// NOT SURE WHERE YOU STAND?

Get a free IT & security check.

We identify the gaps and tell you exactly what to fix first.

Book a Free Discovery Call →

RELATED SERVICES:

M-Pesa & API Security KDPA Compliance POS Deployment