Alipay Transfer Card System Setup Guide: Signature-free Aggregated Payment and H5 Encrypted Redirect Solution Analysis

I recently took on a customized project for an Alipay transfer card system. The client requested signature-free aggregated payment support and H5 encrypted redirect functionality. Honestly, there are many similar systems on the market, but very few run stably. I have organized the entire setup and debugging process to serve as a reference for those with similar needs.

Alipay transfer system interface

1. Core System Functions and Technical Architecture

This system is essentially a payment aggregation platform, primarily solving the automation needs of personal Alipay收款. It mainly includes these modules:

  1. Transfer Flight Mode: After users pay to a designated Alipay account, the system automatically recognizes the payment information and sends a callback notification to the merchant, with no manual confirmation required throughout the process.
  2. Signature-free Aggregated Payment: Integrates multiple personal收款 methods, not relying on enterprise payment interfaces, suitable for small and micro merchants to quickly接入.
  3. Encrypted H5 Redirect: Payment pages use encrypted transmission to prevent man-in-the-middle tampering with amounts and收款 account information.
  4. Automatic Callback Notification: After successful payment, HTTP callback notifies the merchant system with a retry mechanism.

Payment aggregation interface
H5 redirect page

2. Setup Environment Preparation

Before starting the setup, I confirmed the environment requirements and made a checklist:

  • Server: At least 2 cores and 4GB RAM, bandwidth at least 5M. For domestic users, choose Alibaba Cloud or Tencent Cloud.
  • PHP Version: 7.4 or above, need curl, openssl, and mbstring extensions enabled.
  • Database: MySQL 5.7 with utf8mb4 character set.
  • Domain: Needs filing. Payment systems have requirements for domain reputation.
  • SSL Certificate: HTTPS is mandatory. Encrypted transmission on payment pages is a basic requirement.
  • Monitoring Script: Need to deploy Alipay bill monitoring for real-time payment detection.

Backend configuration page

3. Key Difficulties During Deployment

Several aspects of this project stuck me for a while. I am recording the solutions here.

3.1 Stability of Alipay Bill Monitoring

The most troublesome part was real-time monitoring of Alipay bills. The early solution used crawlers to scrape bill pages, but this was easily subject to risk control. Later I switched to Alipay Open Platform’s message push interface, which is much more stable, but applying for interface permissions is quite troublesome and requires enterprise qualifications.

3.2 Implementation of H5 Encrypted Redirect

The client required that payment links not expose收款 account information. I implemented two layers of encryption: the first layer uses AES to encrypt the收款 account and amount, and the second layer uses RSA to encrypt the AES key. The payment page decrypts and dynamically generates a收款 QR code, with an effective time set to 5 minutes, automatically expiring after that.

3.3 Reliability of Callback Notifications

Callback notifications cannot be lost, otherwise merchants will not receive payment success messages. I designed a three-level retry mechanism: first callback immediately, retry after 5 minutes if failed, retry again after 30 minutes if still failed. If all three attempts fail, it is recorded in the exception log for manual processing.

Callback logs
Payment flow chart

4. Security and Compliance Notes

Payment systems involve fund security. These points must be noted:

  • All interfaces must have signature verification to prevent forged requests.
  • Database sensitive fields must be encrypted, especially收款 account information.
  • Payment pages need anti-brushing mechanisms, with request frequency limits for the same IP.
  • Regularly change encryption keys, recommend rotating once a week.
  • Logs must be desensitized, cannot record user payment information in plain text.

Risk Warning: Using personal Alipay收款 for commercial purposes carries the risk of being subject to risk control. It is recommended to control daily收款 amounts and frequency. For large amounts, it is recommended to use enterprise payment interfaces. This solution is more suitable for small-amount high-frequency scenarios.

5. FAQ Frequently Asked Questions

Q1: Does this system require applying for Alipay official interfaces?

No. It uses a personal收款 code automatic recognition solution, but stability is not as good as official interfaces. If business volume is large, it is recommended to simultaneously apply for official interfaces as a backup channel.

Q2: How long after user payment can the callback be received?

Normally within 5-15 seconds. If Alipay network fluctuates or risk control intercepts, it may be delayed up to 2-3 minutes. It is recommended that the merchant end show loading prompts and not let users click repeatedly.

Q3: Can it support WeChat Pay?

The source code architecture supports multi-channel expansion. WeChat Pay needs separate configuration. WeChat personal收款 monitoring is stricter than Alipay. It is recommended to use WeChat merchant enterprise payment interfaces.

Q4: What if the server is attacked?

Payment systems must have good security protection. It is recommended to configure WAF firewalls, close unnecessary ports, not expose databases to the outside, and regularly back up data to remote locations. Switch to backup servers immediately when attacked.


Original Reference

This article is organized and recreated based on the demo content from System Demo Site, for learning and communication purposes only.

#AlipayTransfer #SignatureFreePayment #AggregatedPayment #H5Encryption #PaymentSystem