Application and approval requirements

Payment processing is the core part of Genstore merchant workflows. Our stores operate around the clock, selling products to customers globally. We rely on payment partners to provide secure payment experiences and support merchants in completing collections, settlements, and withdrawals.

If a payment extension fails to meet the following requirements, Genstore has the right to take actions including but not limited to:

• Removing the extension from the payment gateway list
• Suspending or restricting access to the payment ecosystem
• Terminating the partner's participation in the payment ecosystem
• Taking any other necessary actions

Security and compliance

Payment extensions must ensure the security of buyer payment information and comply with industry standards and legal requirements:

• Data collection and compliance: Collect payment information legally and securely, in compliance with PCI DSS requirements; unauthorized buyer data must not be stored.
• Transaction processing: All transactions must be settled within 5 days and executed according to Genstore's specified parameters.
• Redirect: In offsite payment scenarios, buyers must be correctly redirected back to Genstore.
• Risk and fraud control: Partners must actively monitor transaction risks. If a merchant's payments show an unusually high proportion of fraud or high-risk transactions (as determined by Genstore), Genstore has the right to take restriction or removal actions.

Transparency and merchant agreements

• Transparency: Payment partners must provide transparent and easy-to-understand fee breakdowns for merchants.
• Merchant agreements: No fees should be disguised as "Genstore fees" on invoices.
• Termination agreement: Merchants must have the right to terminate the agreement with 7 days' notice without being charged penalties or additional fees.

Prohibited actions

Payment extensions must not perform any of the following actions:

• Use any Genstore API other than the payment application API and mandatory Webhooks.
• Require merchants to install additional applications to complete transactions.
• Use custom payment features to modify the payment options on the checkout page.
• Enable unnecessary request scopes (such as network access or access to protected customer data).
• Abuse payment credentials; payment credentials may only be used for the original transaction or for services explicitly authorized by Genstore.
• Reassign, share, transfer, or sell access to the payment platform without Genstore's authorization.
• Create false or fraudulent merchants, orders, or transactions.

Naming conventions

To ensure clarity and fairness when merchants choose a payment method, payment extensions must adhere to the following naming requirements:

• Must not contain marketing text (e.g., "The best payment provider in the world: 50 payment methods").
• Must not manipulate letter order to achieve a higher ranking.
• The extension name must accurately reflect the actual payment method, as this is the only information visible to merchants.

Functional requirements

Payment extensions must support at least:

• Payment collection, refunds, and test transactions
• Strong Customer Authentication (SCA) required for countries/regions providing credit card payments, including 3-D Secure verification (where applicable)

Technical requirements

• Idempotency: To ensure a consistent user experience, payment extensions must implement idempotency.
• Retry strategy: Payment extensions must retry requests according to a retry strategy in case of network errors.
• Mutual TLS (mTLS): Must use mutual TLS validation to ensure secure, trusted bidirectional traffic between Genstore and your payment extension, using Genstore's CA certificate for validation.
• HMAC verification: Redirect requests during installation must verify the hmac parameter; however, hmac is not included in payment operation requests (e.g., payment, refund, capture, and void) initiated by Genstore to you.
• Rate limiting: Extension calls must comply with the API rate limit guidelines.
• API version control: Only supported API versions may be used, and unstable versions must not be used in production. Extensions should configure a fixed API version and follow Genstore's version update cycle.
• 3-D Secure: For countries/regions where 3-D Secure is required by law or industry standards, credit card payment extensions must support 3-D Secure authentication.
• Compliant Webhooks: Payment extensions must implement compliant Webhooks.

Merchant experience requirements

• Availability: Extensions must maintain ≥ 99.95% uptime (24/7).
• Response time: In case of interruptions or critical issues, partners must respond within 2 hours.

Payment extension limitations

• Line items, order IDs, and checkout IDs cannot be retrieved via the payment application API.
• Payment extensions will not be displayed in the Genstore app store and can only be installed and activated in Genstore merchant admin → Settings → Payments.