Welcome to the world of online commerce! At Peach Payments, our primary goal is to help you grow your business by making it easy and safe to accept payments online. We understand that in the digital landscape, the security of your transactions and the trust of your customers are paramount.


Navigating the complexities of online risk and fraud can seem daunting, but you're not alone. We've built our platform on a foundation of robust security, employing advanced, multi-layered fraud detection systems and a dedicated risk team to protect you around the clock.


We believe that the strongest defence is a partnership. To empower you with the knowledge you need, we've compiled this list of frequently asked questions. This guide will help you understand the risks, learn about the tools we use to protect you, and discover the best practices you can implement to keep your business and your customers safe.


Let's dive in.

1. Why has my Peach Payments account been suspended?

Receiving a notification about an account suspension can be concerning, and we aim for complete clarity. Account security is a top priority, and we take swift action to protect you. An account is typically suspended for one of two key reasons:

  • Suspicious Fraudulent Activity: Our automated risk-monitoring systems or a manual review by our team has flagged transaction patterns that indicate potential fraud.
  • A Request from a Partner Bank: We may be instructed to suspend an account by one of our acquiring bank partners for various compliance or security reasons.

In all suspension cases, you will be notified immediately by email. This communication will provide more details on the issue and outline the necessary next steps. Please check the inbox associated with your account or contact our support team for assistance.

2. Can I get automatic email notifications for potentially fraudulent transactions?

While Peach Payments does not send a direct email for every transaction flagged by our risk system, we provide you with the real-time data needed to build your own custom alerts. This gives you complete flexibility.

How It Works:

  1. Our advanced fraud engine runs over 100 checks on every transaction.
  2. If a transaction is deemed risky, it is either declined or accepted but flagged for manual review (e.g., with result code 000.400.000).
  3. In either case, our system instantly sends this specific result code back to your website or application via the API response.

Your developer can configure your system to "listen" for these codes and trigger any action you want—such as sending a custom email alert to your administrator or adding the order to a special review queue.

3. What should I do if a transaction in "manual review" is actually fraudulent?

If you've investigated a transaction that was flagged for "manual review" and have confirmed it is fraudulent, you must act immediately to prevent financial loss.

Follow these two critical steps before the transaction is settled (cleared) by the bank:

  1. DO NOT ship the goods or provide the service. This is the most crucial first step.
  2. Reverse/Refund the transaction in your dashboard. This ensures the funds are returned. To do this, find the transaction and in the Action Tab, click the "Reverse" or "Refund" button.

4. Is 3D Secure optional for merchants in South Africa?

No. In South Africa, 3D Secure (3DS) is not optional—it is mandatory for all eCommerce transactions.

This requirement is enforced by the Payments Association of South Africa (PASA) to provide a crucial layer of security. It helps protect both merchants from fraudulent chargebacks and customers from unauthorized use of their cards.

5. What is the difference between a "3D Secure: Attempted" vs a "3D Secure: Success" status?

This status tells you whether the customer's card was enrolled in 3D Secure.

  • 3D Secure: Success: The customer's card is enrolled in 3D Secure, and they successfully authenticated the transaction (e.g., by entering a one-time password). This provides you with the strongest liability protection against fraud disputes.
  • 3D Secure: Attempted: The customer's card is not enrolled in 3D Secure by their bank, but our system still applied the check as required in South Africa. The transaction may still be approved based on other risk factors, but it carries a higher risk of fraud.

For advanced reporting, this information is available via an "ECI flag" value. Please contact our support team if you need detailed information on specific transactions.

6. Why is the 3D Secure (OTP) page not always responsive or getting cut off on mobile devices?

This is an excellent question. While our payment widget is fully responsive, the 3D Secure page itself—where your customer enters their One-Time Password (OTP)—is actually hosted and controlled by the customer's own bank (the issuing bank).

For security purposes, this authentication step is a direct communication channel between the cardholder and their bank. Each bank designs and maintains its own 3D Secure page, and unfortunately, some of these pages are not yet fully optimized for all mobile screen sizes.

In short: We securely display the page that the customer's bank provides to us. The design and responsiveness of that specific page are not within our control. We simply receive the final success or failure result from the bank once the customer completes the step.

7. If you don't control the page, why is it displayed inside the payment widget?

We keep the bank's 3D Secure page displayed within our widget to create a smoother, more trustworthy checkout experience for your customers.

The alternative would be a full-page redirect away from your website to the bank's page, which can be jarring and may cause customers to feel they are leaving your store, leading to abandoned carts.

By displaying it within an integrated frame, we keep the user journey contained and seamless, while still ensuring the authentication process remains 100% secure and PCI compliant, as all sensitive steps are handled within our environment.


8. Why do my foreign customers' transactions often fail? Is it because of 3D Secure?

This is a common issue. Because 3D Secure is mandatory in South Africa, our system must apply it to every transaction. However, many international cards, especially from the US, are not enrolled in 3D Secure by their issuing bank.


By default, a foreign card that is not enrolled in 3D Secure will be declined to protect you from high-risk, non-authenticated transactions.


While it may be possible to change this setting in exceptional circumstances, we strongly advise against it. Allowing these transactions removes your chargeback protection, meaning you would be liable for any fraudulent disputes. If you have a special business case for this, please discuss it with your Account Manager.

9. Is anything being done to improve transaction success rates for foreign cards?

Yes. We are progressively rolling out 3D Secure 2 (3DS2), the next generation of this technology.

3DS2 is a more advanced and intelligent version of 3D Secure. It uses more data to assess risk behind the scenes, often allowing legitimate customers to check out without any extra steps (this is called a "frictionless flow"). This new standard is designed to improve security while significantly boosting conversion rates for both local and international shoppers.

10. How can I pay out funds to a bank account in South Africa?

While some payment workflows like direct Card Deposits (CD) are not available in South Africa for compliance reasons, we provide a robust Payouts system specifically for this purpose.

This system allows you to securely transfer funds to South African bank accounts. You have two main options:

  1. Manual Upload: Upload a CSV file containing payment details directly in your Peach Payments dashboard.
  2. API Integration: Automate your payout process by integrating directly with our Payouts API.


For further information about Payouts, please contact your Account Manager or our support team.

11. What does "DR" refer to in my transaction list?

DR stands for a Deregistration transaction.

This is the technical term for deleting a customer's stored card details (a token) from our secure systems. You would use this function when a customer wants to remove their saved card from your website or app, for example, to add new card details.

12. What are some red flags I should look for in an order before I ship it?

  • Mismatched billing and shipping addresses (especially in different countries).
  • Unusually large or high-quantity orders for a first-time customer.
  • Multiple orders to the same address using different cards.
  • Requests for urgent or overnight shipping on high-value items.
  • Use of suspicious or nonsensical email addresses.

13. Can I set custom risk rules for my account?

Yes. Beyond the comprehensive security that comes standard with every Peach Payments account, we offer a suite of advanced, customizable risk checks for merchants who require a more tailored security strategy.


How It Works

Our platform allows for an additional layer of protection by activating specific rules that are suited to your unique business needs. These rules can include a wide range of checks, such as:

  • Velocity Checks: Limiting the number of transactions attempted by a single customer or from a single IP address within a certain timeframe. This is highly effective against automated "card testing" attacks.
  • Plausibility Checks: Flagging or blocking transactions that don't seem logical, for example, where the customer's IP address is in a different country from the billing address.
  • Allowlisting and Blocklisting: Used for allowing or block specific transactions based off certain criteria such as the card country, card issuer, IP address country etc.


Pricing for Advanced Risk Settings

These advanced security features are priced using a transparent system we call Risk Points. Each specific check (like a velocity check) is assigned a point value based on its complexity and power. The cost for your custom setup is then calculated based on the total Risk Points of the rules you choose to activate. This flexible approach allows you to build a sophisticated security package that fits both your risk appetite and your budget.


How to Get Started

If you are interested in adding a customized layer of security to your account, please get in touch with your Account Manager or our support team. They will be happy to discuss your business needs and recommend the most effective risk settings for you.


14. What is a CVV check and why do transactions fail it?

A CVV (Card Verification Value) is the 3- or 4-digit security code on a credit card used to verify that the customer has the physical card in their possession during an online purchase.


A transaction fails this check for two simple reasons: the customer has entered the code incorrectly, or a fraudster is attempting to use stolen card details without having the actual card.


Because a failed CVV check is a strong indicator of potential fraud, the bank automatically declines the transaction. This protects you from fraudulent payments and future chargebacks.


15. How does Peach Payments help me stay compliant with the POPI Act?

Staying compliant with the Protection of Personal Information Act (POPIA) is a critical responsibility for every South African business. Peach Payments is designed from the ground up to help you meet your POPIA obligations by removing the significant burden of handling sensitive card data.


Our approach is built on two globally-recognised security standards: PCI-DSS Level 1 Compliance and Tokenization.


1. PCI-DSS Level 1 Compliance Peach Payments is certified as PCI-DSS Level 1 compliant. This is the highest and most stringent level of certification in the global payments industry. It means our systems, processes, and infrastructure are rigorously audited to ensure we protect sensitive card data at all times, in line with the strict security requirements mandated by the Act.


2. Tokenization The main way we protect you and simplify your compliance is through a process called tokenization. Here’s how it works:

  • When your customer enters their card details on your checkout page, that sensitive information is sent directly to our secure, PCI-compliant environment.
  • We then replace the full card number with a unique, non-sensitive identifier called a token.
  • This token is what is safely stored in your system for processing payments, including for recurring billing or one-click checkouts.


The Benefit for You

By using tokenization, your systems never need to handle or store your customers' full, sensitive card numbers. This dramatically reduces your POPIA compliance scope and risk. You are outsourcing the most complex part of data security to us. In short, we handle the intricate security and compliance of your customers' payment data, allowing you to focus on your business, confident that your payment processing is aligned with POPIA's core principles of data protection.


16. How can I be sure that my card details are safe with Peach Payments?

eCommerce security is the responsibility of all parties involved processing a transaction. This article gives you some clarity on the card payments security measures taken by:


1. A merchant (website or app),

2. Peach Payments (Payment Service Provider or Payment gateway)


Merchant (website /app)

What to look out for on a website browser to be comfortable that your card and user information is safe. This is always the responsibility of the merchant / website owner, business or service you are paying


A. SSL Certificate
This makes sure that the information transmitted from your browser to the website is encrypted and secured when being sent over the internet. An eCommerce merchant would install this on their platform (website / app ) to help ensure the security of your information.

How to see if a website / app has an SSL security certificate installed :
- HTTPS:// rather than HTTP:// at the beginning of the website link / address
- Padlock icon at the beginning of the URL


B. 3D Secure processing
This makes sure that your bank notifies to verify a transaction, by sending you a One Time Pin (OTP) when you enter your card details and confirm payment for an order or service.

This 3D Secure process is how your bank (issuing bank, eg. ABSA, FNB, Nedbank, Standard Bank etc) lets the website know that you are the owner of the card or account.


C. Protection of Personal Information (POPI)
More information on how merchants protects your personal information is available here


Peach Payments processes transactions according to agreements with our acquiring partners, card schemes, Payment Card Industry Data Security Standards (PCI-DSS) standards, Payment Association Of South Africa and other 3rd parties in the processing chain (More detail on this provided in contract with our merchants) - Please contact your merchant (website or app) for more information on how they implement peach payments services and products on their web or mobile platform.


Read more information on efforts Peach Payments takes to make sure your transactions are safe on our merchants' website / app:

  1. PCI compliance
  2. Data protection
  3. 3D Secure
  4. Fraud and Risk management