Security comes first at Mollie, and the Mollie API is no exception. Mollie guarantees a safe yet easy-to-use API in a number of key ways described below.

Connecting to the Mollie API

To connect to the Mollie API, an HTTPS connection with at minimum TLS1.2 is required. Requests are authenticated using API keys. This follows the industry’s best practices.

End-to-end safety on the transport level is guaranteed by the HTTPS-requirement, no need to encrypt the data itself again. We only support TLS 1.2 (or higher). Connection is not possible when using a lower version or outdated ciphers. You can find more information about this in our Help Center.

HTTPS mitigates packet sniffing and timing attacks, and replay attacks. Thanks to HTTPS, data exchanged between Mollie and the merchant is protected and guaranteed to be authentic. HTTPS implements hashed signatures, nonces, and other tried and tested cryptographic safeties.

Man-in-the-middle attacks are prevented by strictly checking the HTTPS certificate used on https://api.mollie.com/. If the client detects a fake certificate — for example because of a hacked DNS-server — no connection will be established.

Sensitive information

Any sensitive payment information entered by your customer on our platform is stored securely. You can find more information about how we process this data and our Security practices on our website.

If you process Card payments (credit/debit cards, Apple Pay, Google Pay or Bancontact), you can rest assured that cardholder data is safe with us. Mollie has been audited and certified as a PCI Level 1 Service Provider, the highest level of certification in the cards industry, by an independent PCI Qualified Security Assessor (QSA).

PCI compliance is a shared responsibility between you and Mollie. We are responsible for the security of your data in our systems. You are responsible for understanding the requirements applicable to you and ensuring the security of your own systems. You can find more information about this in our Help Center.

What about the webhooks?

The Mollie API webhooks never contain sensitive information. Instead, webhooks will only signal to your server that an update is ready to be fetched from the Mollie API, after which you are expected to fetch the object yourself in order to retrieve the updated details — for example the updated status of a payment. Since your API call to us takes place over HTTPS, all the earlier-mentioned security guarantees stay in effect.

Reporting vulnerabilities

If you believe you have found a security issue in our product or service, please notify us as soon as possible by emailing us at responsible-disclosure@mollie.com. For more information on this program, please refer to our Responsible Disclosure Policy.