Security Best Practices

This guide is intended to provide Affirm merchants with best practices for proactively protecting sensitive data when using the services.


Information security is a joint effort between Affirm and our partners. This guide offers precise and actionable strategies for enhancing your security stance, covering areas such as managing user accounts, authentication processes, and secrets management. By implementing these measures, you contribute significantly to the protection of both your business and our mutual customers.

Merchant Portal Accounts

Protect your Merchant Portal accounts from unauthorized access and abuse.

Determine Appropriate Users

All users and user accounts should be valid, up-to-date, and in compliance with company policy.

Please review the items below for user management best practices:

  • Confirm user access is appropriate and compliant. Specifically, you should have procedures for onboarding new users that include:
    • Confirmation that they are employees or contractors, i.e. appropriate, legal representatives of the company with a legitimate business need to access the portal contents.
    • Providing security awareness training and privacy training so that users understand how to handle and protect sensitive information prior to accessing the portal.
  • Prevent the misuse of inactive accounts by:
    • Deactivating or removing access upon employee separation or role change.
    • Reviewing user accounts regularly to identify and remove any inactive ones.

Clearly Identify Users

Proactive and thorough identity management is your foundation for preventing and mitigating potential data breaches and business disruptions. Pay close attention to all identities utilized for the Merchant Portal, including email aliases:

  • Are associated with an individual employee (i.e. no shared accounts).
  • Are unique and are not reused after employee departure.
  • Have a valid domain that is, whenever possible, specifically and unambiguously associated with your legal business entity, e.g. [email protected] for Example, Inc.

Carefully Verify User Identities

Safeguard against account takeovers in Merchant Portal by shoring up your authentication methods. Currently, Affirm supports Google SSO and passwords. Ensure to:

  • Enable Multi-factor Authentication (MFA): With MFA, even if an attacker obtains your password, they still need the second factor to access your account. For Google SSO, MFA must be configured on the Google platform. For password authentication, you must choose a second factor.
  • Password Best Practices:
    • Unique: Create a unique password for each online account you have. Reusing passwords across multiple accounts increases the risk of a security breach. If one account is compromised, hackers could potentially access other accounts where the same password is used.
    • Lengthy: Longer passwords are generally more secure than shorter ones. Aim for a minimum password length of at least 15 characters. Longer passwords provide increased security against brute-force attacks, where attackers try various combinations of characters to guess the password.
    • Complex: Create passwords that include a combination of uppercase and lowercase letters, numbers, and special characters. Avoid using easily guessable information such as your company name, name, birthdate, or common words.

Secrets Security

As a merchant with Affirm, you have secrets that are critical for enabling our partnership. Some examples of secrets may include: private API keys that we generate on your behalf, your own private keys used for the decryption of data that we share with you, or passwords used to access our systems or data. In all of these cases, keeping these secrets safe and confidential is crucial for both of us to prevent unauthorized use or disruption of services.

Please review the following critical steps to ensure you are utilizing best practices:

  • Use Encrypted Storage Solutions: Avoid storing secrets directly in code repositories, configuration files, or client-side code where they can be easily accessed or compromised. Instead, utilize secure storage solutions such as Key Management Systems (KMS), Secrets Managers, or encrypted databases.
  • Limit Access: Limit secrets access to only authorized personnel who require them for development, deployment, or maintenance purposes. Implement strict access controls and role-based permissions to restrict access to keys based on job roles and responsibilities.
  • Share Secrets Securely: When transmitting secrets, ensure they are transmitted securely over encrypted channels such as HTTPS (HTTP Secure). Avoid transmitting keys via insecure communication channels such as email or unencrypted HTTP.

Learn more

Visit our trust portal here to learn more about Affirm’s approach to security.