This article gives some info on how to be sure that your customers' sensitive card details are secure on peach payments platforms.
Our systems do not process a transaction if it is not authenticated by the customer. There are recurring special workflows, eg. subscription , stored card payments, where authentication was done once at sign-up. The process to authenticate is a direct communication between the bank and their customer.
Neither you, nor Peach have visibility on the actual interaction between the bank and customer (for security reasons). We receive the result of the process and send your system this information.
This is what Peach payments does on our platform, to ensure that customers' sensitive payment details are safe :
1. Card transactions
Neither our merchants nor Peach payments has access to full card / bank details, when transactions are processed via Peach systems card processing. All card transactions are initially processed via 3DSecure.
3DSecure requires the customer to authenticate these transactions, by entering a one time pin (OTP). This OTP is triggered directly to the customer via SMS / USSD / email depending on the customer's arrangement with their bank.
Neither a merchant / business / App / website nor Peach operations staff have access to this OTP ; therefore neither the merchant nor Peach can abuse the customer's card.
For saved cards (tokenisation for single-click and subscriptions), the customer opts to store their cards securely on our systems, so that they can seamlessly checkout on subsequent transactions without having to re-enter their card details. We tokenise and issue an ID, which represents the customer's card details. This ID is what is referenced for payments. This way, the actual card details do not touch your systems or ours. The details are stored in a PCI DSS Level 1 vault.
2. EFT transactions
Customers authorise all EFT payments on your website, where applicable, directly from their bank accounts. The customer would need to authorise this by entering their internet banking username and password as well as an OTP being sent to them to authorise the payment. Please note that this workflow all depends on the customer's configuration / agreement with the bank.
Again, neither a merchant / business / App / website nor Peach operations staff have access to the customers' username, password or OTP ; therefore neither can abuse the customer's card.
3. SSL certificate and secure servers
You would also need to ensure that your web servers, that host your platforms and interact with Peach systems, are secure. Please check with your technical department or development team on this.
This is implemented on your systems to ensure that all information entered on your site is encrypted and secure. Your website will have a secure lock HTTPS:// prefix in the web URL, if your site has an SSL certificate installed.