This article gives some info on how to be sure that your customers' sensitive details are secure on peach payments platforms.
Our systems do not process a transaction if it is not authenticated by the customer. There are special workflows, eg. subscription, stored card payments, where authentication was done once at sign-up. The process to authenticate is a direct communication between the bank or issuing authority and their customer.
Neither you, as a merchant using our platforms, nor peach team have visibility on the actual interaction between the bank and customer (for security reasons). We receive the result of the process and send your system this information.
This is what peach payments does on our platform, to ensure that customers' sensitive payment details are safe :
1. Card transactions
Neither our merchants nor peach payments' team has access to full card / bank details, when transactions are processed via peach systems card processing. All card transactions are typically initially processed via 3D-Secure, at least once to validate and make sure that the actual card holder, as registered with the issuing bank, is making the transaction.
How does 3D-Secure authenticate the customer ?
3D-Secure requires the customer to authenticate these transactions, by entering a one time pin (OTP). This OTP is triggered directly to the customer via SMS / USSD / email depending on the customer's arrangement with their bank.
Neither a merchant / business / App / website nor peach operations staff have access to this OTP ; therefore neither the merchant nor peach can abuse the customer's card authentication.
For saved cards (tokenisation for single-click and subscriptions), the customer opts to store their cards securely on our systems, so that they can seamlessly checkout on subsequent transactions without having to re-enter their card details. We tokenise and issue an ID, which represents the customer's card details. This ID is what is referenced for payments. This way, the actual card details do not touch your systems or ours. The details are stored in a PCI DSS Level 1 vault.
2. EFT transactions
Customers make EFT payments on your website, where applicable, directly from their bank accounts, by pushing a payment to your business bank account. The customer would need to authorise this by entering their internet banking username and password in a secure browser environment. An OTP being sent to them to authorise the payment. Please note that this workflow all depends on the customer's configuration / agreement with the bank.
Neither a merchant / business / App / website nor peach operations team have access to the customers' username, password or OTP ; therefore neither can abuse the customer's account.
Some Instant EFT providers also ensure that they are PCI DSS compliant. This means that they subject their Instant EFT solutions to the highest standards of payments processing compliance. This is to ensure that it is as secure as possible for a customer to enter their banking username and password in their browser to make an EFT payment.
3. SSL certificate and secure servers
As a merchant, you would also need to ensure that your web servers, that host your platforms and interact with peach systems, are secure. Please check with your technical department or development team on this.
This is implemented on your server to ensure that all information entered on your site is encrypted and secure, while being sent across the internet. Your website will have a secure lock HTTPS:// prefix in the web URL, if your site has an SSL certificate installed properly.