Payment Gateway Integration in Bangladesh: A Developer's Complete Guide

Payment processing is the most critical component of any e-commerce platform. In Bangladesh, the digital payment landscape includes traditional card-based gateways, mobile financial services (MFS), and emerging wallet solutions. Integrating these systems correctly requires understanding their APIs, security requirements, and the unique characteristics of the Bangladeshi payment ecosystem. This guide covers the technical details developers need to implement robust payment processing.

The Bangladesh Payment Landscape

Bangladesh's digital payment ecosystem is dominated by a few key players. SSLCommerz is the most widely used payment gateway, supporting Visa, Mastercard, AMEX, and local bank integrations. Mobile financial services — primarily bKash and Nagad — account for a rapidly growing share of digital transactions, with bKash alone processing over 11 million daily transactions. Understanding the strengths and integration patterns of each provider is essential for maximizing payment success rates.

SSLCommerz Integration

SSLCommerz provides both session-based and tokenized payment APIs. The session-based flow redirects customers to SSLCommerz's hosted payment page, which handles card data collection and processing. This is the recommended approach for most merchants because it shifts PCI compliance burden to SSLCommerz.

The integration flow begins with your server sending a POST request to the session API with transaction details — amount, currency (BDT), customer information, and callback URLs. SSLCommerz returns a session key and a redirect URL. Your frontend redirects the customer to this URL. After payment completion, SSLCommerz sends an IPN (Instant Payment Notification) to your server-side callback endpoint and redirects the customer to your success or failure page.

Validation and Security

Never trust client-side payment confirmations. Always validate the transaction server-side by calling SSLCommerz's validation API with the transaction ID received in the IPN callback. Verify that the amount, currency, and status match your order records. Store the validation response including the bank transaction ID, card type, and risk assessment score. Implement idempotency checks to prevent duplicate order processing from repeated IPN callbacks.

bKash Payment Integration

bKash offers a Checkout API (previously known as the Tokenized API) for merchant integrations. The flow involves three steps: granting a token using your app credentials, creating a payment request with the customer's bKash wallet number and amount, and executing the payment after the customer authorizes it in the bKash app or USSD prompt.

Key technical considerations for bKash include handling the authorization timeout — customers have a limited window to approve the payment. Implement polling or webhook-based status checks to detect whether the payment was completed, declined, or timed out. bKash sandbox environments can be unreliable, so build robust retry logic and test thoroughly before going live.

Nagad Integration

Nagad's merchant API follows a similar pattern to bKash but uses a challenge-response authentication mechanism. Your server initiates a payment by calling the initialize API, which returns a challenge token. You decrypt this token using your merchant private key, sign the response, and send it back to complete the initialization. The customer then authorizes the payment through the Nagad app. Nagad's API documentation has improved significantly, but developers should be prepared for occasional inconsistencies between documentation and actual API behavior.

PCI Compliance Essentials

If you use hosted payment pages (recommended), you qualify for PCI DSS SAQ A, the simplest compliance level. This means your servers never touch card data. However, you still must ensure your pages are served over HTTPS, implement Content Security Policy headers to prevent script injection, and maintain secure session management. If your application handles card data directly — which is rarely necessary — you face the full PCI DSS compliance requirements, a significantly more expensive and complex undertaking.

Security Best Practices

Store API keys and merchant credentials in environment variables or a secrets manager — never in source code or client-side JavaScript. All payment-related API calls should happen server-side. Implement webhook signature verification to ensure IPN callbacks genuinely originate from the payment provider. Log all payment events with sufficient detail for debugging but redact sensitive information like card numbers and wallet details.

Error Handling and Reconciliation

Payment failures are inevitable. Common failure scenarios include network timeouts during the payment callback, mismatched amounts due to currency rounding, and duplicate transaction attempts. Build a reconciliation system that periodically queries each payment provider's transaction status API to identify discrepancies between your order records and actual payment statuses. Flag unresolved discrepancies for manual review.

Implement a payment status state machine in your order system: pending, processing, completed, failed, refunded, and disputed. Each state transition should be logged with timestamps and trigger appropriate user notifications.

Multi-Gateway Strategy

Smart routing across multiple gateways improves payment success rates. If a transaction fails on one gateway due to a temporary issue, automatically retry on an alternative gateway. Monitor success rates per gateway and per payment method to dynamically route transactions to the best-performing provider. This approach can improve overall payment success rates by 5-15%. At Nexis Limited, we build payment integration layers that abstract gateway-specific logic behind a unified interface. Learn more about our services or contact us to discuss your payment integration requirements.