Thanks for asking. You must have at least a few of additional things in place:
- firewall which allows to blacklist everything, but your customers IPs
- signing requests and response (something like JWT)
- build multi tenant system, so that different merchants/tenants cannot simulate notifications of each other.
Hope this helped.