What is signature verification?
A cryptographic stamp (usually HMAC) on each callback proving it really came from the gateway and wasn't tampered with. Always verify it before trusting a webhook.
Each webhook carries a signature computed from the payload and a secret key only you and the gateway share. Recompute it on your side and compare before trusting anything in the message. If they differ, discard the request: anyone on the internet can POST to your webhook URL.
Skipping this check is the classic Malaysian integration bug: an attacker replays or forges a success callback and walks away with fulfilled goods that were never paid for. Every gateway documents its exact signing recipe; follow it precisely, including field order and encoding.