Never Update on First Notice: The Payment Confirmation Strategy That Prevents Fraud

--

Press enter or click to view image in full size

There is a moment in every payment flow that looks like success but isn’t.

The notification arrives. The webhook fires. The status says confirmed. The system updates. The merchant releases the goods, or the platform credits the account. Then, hours later, the payment provider sends a correction. The original notification was premature. The transaction failed. The money never moved.

By then, it’s too late.

This is one of the most common and costly mistakes in payment system design, and it happens because engineers treat the first notification as the final word. In synchronous payment flows, that assumption is usually safe. In asynchronous ones, it is a liability.

The difference between synchronous and asynchronous confirmation

In a synchronous payment flow, the response comes back in real time. The user submits payment details, the processor checks, approves or declines, and returns a definitive status within the same session. Card payments on a checkout page work this way. The result is immediate and reliable.

Asynchronous flows work differently. The payment is initiated, but the final status is determined outside the original transaction session, sometimes seconds later, sometimes minutes, sometimes longer. Mobile money payments, bank transfers, USSD transactions, and wallet-based payments in many African markets all fall into this category.

The problem is that asynchronous payment methods often send an Instant Payment Notification, or IPN, when the transaction is initiated, not when it is settled. That notification looks like a confirmation. It carries a transaction reference, a timestamp, and a status that reads as successful. But it is a receipt for an attempt, not a guarantee of completion.

Systems that act on that first notification are building on unverified ground.

What actually goes wrong

Consider a mobile money payment on a platform that credits user wallets. A user initiates a transfer. The mobile money provider fires an IPN. The system receives it, reads the status as successful, and credits the wallet. The user withdraws immediately.

Twenty minutes later, the provider sends a status update. The transaction timed out on their end. The funds were never actually moved. The platform has credited a wallet with money that does not exist.

This is not a theoretical risk. It plays out regularly across payment integrations in markets where mobile money and alternative payment rails are primary, not secondary, channels. The volume of transactions on these rails in Nigeria and across Africa means the exposure compounds quickly at scale.

The fraud angle makes it worse. Bad actors understand these windows. A system that credits on first notice, before confirmation, is a system with a gap that can be exploited deliberately and repeatedly.

The confirmation pattern that closes the gap

The fix is not complicated, but it requires discipline in how payment flows are architected.

When an IPN arrives, do not treat it as confirmation. Treat it as a trigger. The notification tells you a transaction has been attempted and gives you a reference. What you do next is what determines whether your system is reliable.

After receiving the IPN, use the transaction reference to call the payment provider’s get-transaction-status endpoint directly. This is a synchronous call made by your system, on your terms, to retrieve the actual current status of that specific transaction. You are not waiting for the provider to tell you what happened. You are asking.

If the status returns as successful, proceed. If it returns as pending, wait and retry. If it returns as failed, reject the transaction and notify the user. Do not update your system until you have a confirmed status from a direct status check, not from a notification you received passively.

For transactions that return as pending, implement a retry schedule with a defined ceiling. Check at one minute, five minutes, and fifteen minutes. After a defined threshold, if the status has not resolved successfully, treat it as failed. Do not leave transactions in a pending state indefinitely. That is another gap.

Why this matters more in African payment ecosystems

Mobile money and alternative payment rails are not edge cases in African fintech. For many platforms and their users, they are the primary way money moves. USSD sessions drop. Mobile money providers have processing queues. Network conditions affect transaction completion in ways that are less common on card rails.

Building payment confirmation logic for ideal conditions, where the first notification is always accurate and always final, is building for a market that does not exist.

The engineers and architects who understand asynchronous confirmation patterns are the ones building systems that hold up at scale, under load, and under pressure.

A payment system that acts on unverified notifications is not a payment system. It is an assumption with a transaction reference attached.

Confirm before you commit. Every time.

Build a fintech solution the right way with Digicore

Are you looking to build a robust and scalable fintech solution? Partner with Digicore — the experts who get it done right. We build customer-centric solutions that are secure, reliable, and compliant. No cutting corners, no legal headaches. Just fintech solutions that work for your business.

Ready to build your fintech dream the smart way? Get in touch today.