diff --git a/app/common/repositories/store/order/StoreOrderRepository.php b/app/common/repositories/store/order/StoreOrderRepository.php
index 75635529..3ea5fa44 100644
--- a/app/common/repositories/store/order/StoreOrderRepository.php
+++ b/app/common/repositories/store/order/StoreOrderRepository.php
@@ -99,6 +99,7 @@ class StoreOrderRepository extends BaseRepository
     const TYPE_SN_REFUND = 'rwx';
 
     public $saleType;
+    public $transPwd;
 
     /**
      * StoreOrderRepository constructor.
@@ -120,7 +121,15 @@ class StoreOrderRepository extends BaseRepository
      */
     public function pay(string $type, User $user, StoreGroupOrder $groupOrder, $return_url = '', $isApp = false)
     {
-
+        if (in_array($type, ['balance', 'merBalance'])) {
+            if (empty($user['withdrawal_pwd'])) {
+                throw new ValidateException('请设置支付密码');
+            } elseif ($this->transPwd) {
+                throw new ValidateException('请输入支付密码');
+            } elseif (!password_verify((string)$this->transPwd, $user['withdrawal_pwd'])) {
+                throw new ValidateException('支付密码错误');
+            }
+        }
         if ($type === 'balance') {
             return $this->payBalance($user, $groupOrder);
         }
diff --git a/app/controller/api/store/merchant/Merchant.php b/app/controller/api/store/merchant/Merchant.php
index 09098587..5f4a3971 100644
--- a/app/controller/api/store/merchant/Merchant.php
+++ b/app/controller/api/store/merchant/Merchant.php
@@ -175,13 +175,19 @@ class Merchant extends BaseController
 
     public function createApply($merId)
     {
-        $data = $this->request->param(['extract_money', 'financial_type', 'financial_bank_name', 'financial_bank_bank', 'financial_bank_code', 'financial_bank_branch,withdrawal_pwd']);
+        $data = $this->request->param(['extract_money', 'financial_type', 'financial_bank_name', 'financial_bank_bank', 'financial_bank_code', 'financial_bank_branch', 'withdrawal_pwd']);
         $withdrawal_pwd = $data['withdrawal_pwd'];
-        if(empty($withdrawal_pwd)) return \app('json')->fail('请输入提现密码');
         //找到商户的密码
         $userInfo = \app\common\model\system\merchant\Merchant::getDB()->with('user')->where('mer_id',$merId)->find()->toArray();
-        if (!password_verify($pwd = (string)$withdrawal_pwd, $userInfo['user']['withdrawal_pwd']))
-            return app('json')->fail('提现密码错误');
+        if (empty($userInfo['user']['withdrawal_pwd'])) {
+            return app('json')->fail('请设置支付密码');
+        }
+        if(empty($withdrawal_pwd)) {
+            return app('json')->fail('请输入支付密码');
+        }
+        if (!password_verify((string)$withdrawal_pwd, $userInfo['user']['withdrawal_pwd'])) {
+            return app('json')->fail('提现支付错误');
+        }
         $merchant = app()->make(MerchantRepository::class)->search(['mer_id' => $merId])->field('reg_admin_id,uid,mer_id,mer_name,mer_money,financial_bank,financial_wechat,financial_alipay,financial_type')->find();
         if (($msg = $this->checkAuth($merchant)) !== true) {
             return app('json')->fail($msg);
diff --git a/app/controller/api/store/order/StoreOrder.php b/app/controller/api/store/order/StoreOrder.php
index 282015eb..80f59309 100644
--- a/app/controller/api/store/order/StoreOrder.php
+++ b/app/controller/api/store/order/StoreOrder.php
@@ -125,6 +125,7 @@ class StoreOrder extends BaseController
             return app('json')->status('public', '下单成功', ['order_id' => $groupOrder->group_order_id]);
         }
         try {
+            $this->repository = $this->request->post('withdrawal_pwd');
             return $this->repository->pay($payType, $this->request->userInfo(), $groupOrder, $this->request->param('return_url'), $this->request->isApp());
         } catch (\Exception $e) {
             return app('json')->status('error', $e->getMessage(), ['order_id' => $groupOrder->group_order_id]);
diff --git a/app/controller/api/user/User.php b/app/controller/api/user/User.php
index 93d4bdb1..ea508d06 100644
--- a/app/controller/api/user/User.php
+++ b/app/controller/api/user/User.php
@@ -381,7 +381,10 @@ class User extends BaseController
     //设置提现密码
     public function set_withdrawalPassword()
     {
-        $data = $this->request->params([ 'password','repassword']);
+        $data = $this->request->params([ 'password','repassword', 'sms_code']);
+        $sms_code = app()->make(SmsService::class)->checkSmsCode($this->user->phone, $data['sms_code'], 'set_pwd');
+        if (!$data['sms_code'] || !$sms_code)
+            return app('json')->fail('验证码不正确');
         if (empty($data['repassword']) || empty($data['password']))
             return app('json')->fail('请输入提现密码');
         if ($data['repassword'] !== $data['password'])
@@ -396,19 +399,16 @@ class User extends BaseController
     public function withdrawalPassword()
     {
         $data = $this->request->params(['repassword', 'password', 'sms_code']);
+        $sms_code = app()->make(SmsService::class)->checkSmsCode($this->user->phone, $data['sms_code'], 'change_pwd');
+        if (!$data['sms_code'] || !$sms_code)
+            return app('json')->fail('验证码不正确');
         if (!$this->user->phone)
             return app('json')->fail('请先绑定手机号');
         if (empty($data['repassword']) || empty($data['password']))
             return app('json')->fail('请输入提现密码');
         if ($data['repassword'] !== $data['password'])
             return app('json')->fail('两次密码不一致');
-
-        $sms_code = app()->make(SmsService::class)->checkSmsCode($this->user->phone, $data['sms_code'], 'change_pwd');
-        if (!$data['sms_code'] || !$sms_code)
-            return app('json')->fail('验证码不正确');
-
         $password = $this->repository->encodePassword($data['password']);
-
         $this->repository->update($this->request->uid(), ['withdrawal_pwd' => $password]);
         return app('json')->success('绑定成功');