Mobile Payment Integration in Bangladesh: bKash, Nagad, and SSLCommerz

Bangladesh's digital payment ecosystem has undergone a remarkable transformation. With over 200 million mobile financial service accounts and a rapidly growing merchant acceptance network, integrating local payment gateways is no longer optional for mobile applications targeting Bangladeshi users. This guide covers the technical implementation of bKash, Nagad, and SSLCommerz—the three dominant payment channels—along with security practices and UX patterns that maximize conversion.

bKash Payment Gateway Integration

bKash offers both a tokenized checkout flow and a direct API integration. The tokenized checkout is recommended for most applications—it redirects users to bKash's hosted payment page, handles OTP verification, and returns a payment ID upon completion. This approach minimizes PCI compliance burden since sensitive data never touches your servers.

The integration flow begins with a Grant Token API call using your app credentials to obtain an authorization token. You then use this token to create a payment request specifying the amount, currency (BDT), merchant invoice number, and callback URLs. Upon successful payment, bKash sends a callback to your server with the payment ID and transaction status. Always verify the payment server-side by calling the Execute Payment API—never trust client-side callbacks alone.

For recurring payments and subscriptions, bKash provides an agreement-based tokenization system. Users authorize a one-time agreement, and subsequent charges can be initiated without user interaction—useful for SaaS applications, subscription services, and installment-based payments common in Bangladeshi e-commerce.

Nagad Payment Integration

Nagad's merchant API follows a similar redirect-based checkout pattern but uses a different authentication mechanism. The integration requires RSA encryption for sensitive payload fields and HMAC-based request signing. Nagad provides sandbox credentials for development, though the sandbox environment can be intermittently unavailable—plan for this in your development timeline.

The payment flow involves initializing a checkout session, redirecting the user to Nagad's payment page, and handling the callback upon payment completion or failure. Nagad supports both immediate payments and payment verification through their Verify API endpoint. Implement idempotency keys on your server to handle duplicate callbacks gracefully.

SSLCommerz: The Aggregator Approach

SSLCommerz acts as a payment aggregator, providing a single integration point for multiple payment methods including bKash, Nagad, card payments (Visa, Mastercard, AMEX), net banking, and mobile banking from various Bangladeshi banks. This significantly reduces integration complexity when you need to support multiple payment channels.

SSLCommerz offers three integration modes: Easy Checkout (redirect), Hosted Payment (iframe), and Direct API. For mobile applications, the redirect-based Easy Checkout is most reliable across different device types and webview implementations. The Direct API mode provides more control but requires SAQ-D level PCI compliance for card payments.

Configure your SSLCommerz integration with proper IPN (Instant Payment Notification) handling. The IPN endpoint on your server receives POST requests with transaction details—validate the signature, verify the transaction status through the Validation API, and update your order accordingly. Implement retry logic for IPN processing failures.

Security Best Practices

Payment integrations demand rigorous security. Store API credentials in environment variables or a secrets manager—never hardcode them in source files or commit them to version control. Use HTTPS for all payment-related communication. Implement request signing and validate all webhook signatures before processing payment callbacks.

On the mobile client, never store payment tokens in plain text. Use the platform's secure storage: Keychain on iOS and EncryptedSharedPreferences on Android. Implement certificate pinning for API calls to payment endpoints to prevent man-in-the-middle attacks. Log payment events for audit trails but never log sensitive data like card numbers, OTPs, or API secrets.

UX Patterns for Higher Conversion

Payment UX directly impacts conversion rates. Show accepted payment methods prominently early in the checkout flow. Pre-select the most popular payment method for your user base—in Bangladesh, bKash typically commands the highest conversion rates for mobile transactions. Display the total amount in BDT clearly, including any fees, before the user initiates payment.

Handle payment failures gracefully with specific error messages and a clear retry path. Common failure scenarios include insufficient balance, OTP timeout, and network interruption during the payment flow. Implement a pending state for payments that are neither confirmed nor failed, and resolve them through periodic status checks against the payment gateway's verification API.

Payment Integration Expertise

At Nexis Limited, we have integrated all major Bangladeshi payment gateways across dozens of production applications. Our Digital Menu platform includes built-in payment processing for restaurant orders. Explore our mobile development services for end-to-end payment integration, or contact us to discuss your specific payment requirements.