How Paystack Secures Your Personal Data

Paystack integrates best standard practices to maintain a high level of security. Below are some of the ways through which we demonstrate our commitment to securing your data whether as it relates to our different products, or the services we render.

As a leading payments platform serving a diverse class of businesses, we have a responsibility with the payment elements our merchants have entrusted to us. To this end, Paystack has been audited by an independent PCI Qualified Security Assessor (QSA) and we're PCI DSS 3.2 compliant as a Level 1 Service Provider (loosely referred to as PCI Level 1 compliance). This is the highest, most stringent level of certification possible in the global payments industry.

Paystack has obtained the ISO 27001:2022 and ISO 27701:2019 certifications, which are globally recognized standards for Information Security Management System (ISMS), and Privacy Information Management System (PIMS) respectively. This shows our commitment to safeguarding your personal and payment data. As an ISO 27001 and 27701 certified organization, we ensure that our systems, processes, and controls are robust and resilient against potential threats. We also adhere to the highest standards of data privacy, ensuring that your information is secure and managed responsibly.

We’re also compliant with requirements under the relevant data protection laws across our markets including the NDP Act, GAID, POPIA, PAIA, DPA Kenya, DPA Ghana, and

Paystack is aligned with the ISO/IEC 22301:2019; the international Standard in security and resilience, Business Continuity Management Systems. Paystack’s alignment with the standard enhances the Company’s ability to maintain essential functions during and after the occurrence of a disaster.

The Business Continuity Management System provides a structured approach to ensuring recoverability from varying criticality of incidents. Paystack’s Business Continuity Program is audited by an independent third party on an annual basis, and deemed to contain the key components required for ISO 22301 alignment.

Paystack’s Information Security Policy outlines the responsibility of employees, outsourced staff and vendors towards ensuring the security of Paystack’s network. The policy provides guidance and direction on key information security themes from clear desk and clear screen, unattended user equipments, to the use of removable media, passwords, and participation in Security Awareness Trainings. The purpose of our Information Security Policy is to outline the principles that lay the foundation for the security processes in place for Paystack’s data and technology infrastructure. All employees, contingent workers, and vendors or any other first or third party roles with access to information (both personal and corporate data) are subject to this policy

Paystack uses an in-house developed Vault application to encrypt, store and transmit cardholder data. The Vault encrypts cardholder data using a 2048 RSA Key with 3DES 112-bit encryption, before storing it in its database. This Paystack Vault hosts its database on Amazon Web Services' (AWS) Relational Database Service (RDS) platform. AWS RDS uses the industry standard AES-256 encryption algorithm for encryption of all data-at-rest in the database.

By submitting a security bug or vulnerability to Paystack through HackerOne, you acknowledge that you’ve read and agreed to the programme's terms and conditions. Please refer to our policy on HackerOne for more information on how to participate in our bug bounty programme.

We mandate the use of HTTPS for all services using TLS (SSL), including our public website and the Paystack Dashboard. We regularly audit the details of our implementation, including the certificates we serve, the certificate authorities we use, and the ciphers we support. We use HSTS to ensure that browsers only interact with Paystack over HTTPS. Paystack is also on the HSTS preloaded lists for all modern major browsers.

All server-to-sever communication is encrypted using mutual Transport Layer Security (mTLS). Paystack’s systems automatically block requests made using older, less secure versions of TLS, requiring the use of at least TLS 1.2.

In addition to the above, after strict regulatory approval processes, Paystack holds the following licenses and can be found under the below databases:

• Paystack on the Visa PCI DSS-certified service provider database

• Paystack on the Mastercard Payment Facilitator database (select the Middle East/Africa tab and navigate to "Paystack")

• Paystack possesses a Payment System Service Providers (PSSP) Commercial Licence from the Central Bank of Nigeria

• Paystack possesses a Payment Service Provider (PSP) Commercial Licence from the Central Bank of Kenya

Please feel free to reach out to us via email at support@paystack.com or via our contact form if you have any questions.