Security
Secure Payment Integration: Lessons from Joco Exec
Kaleb McIntosh
Dec 20, 2025
10 min read
## Security First
When building Joco Exec's payment system, security was paramount. Handling payment data for a luxury transportation service means zero tolerance for vulnerabilities.
Key Security Implementations
1. Server-Side Validation
Never trust client-side data. All payment amounts are calculated server-side:
// Server-side price calculation
const calculateFare = async (bookingId) => {
const booking = await Booking.findById(bookingId);
const distance = await calculateDistance(
booking.pickup,
booking.dropoff
);
return {
baseFare: 50,
perMile: distance * 3.50,
total: 50 + (distance * 3.50)
};
};2. JWT Authentication with Role-Based Access
const verifyAdmin = (req, res, next) => {
const token = req.headers.authorization?.split(' ')[1];
const decoded = jwt.verify(token, 'your-secret-key');
if (decoded.role !== 'admin') {
return res.status(403).json({
error: 'Admin access required'
});
}
next();
};3. Square Payment Integration
const processPayment = async (amount, sourceId) => {
const response = await squareClient.paymentsApi.createPayment({
sourceId,
amountMoney: {
amount: amount * 100, // Convert to cents
currency: 'USD'
},
idempotencyKey: crypto.randomUUID()
});
return response.result.payment;
};Lessons Learned
- Always validate on the server
- Use idempotency keys for payments
- Implement proper error handling
- Log everything for auditing
Kaleb McIntosh
Full-Stack Software Engineer
Founder, McIntosh Digital Solutions
