Paystack's security framework

Paystack integrates best standard practices to maintain a high level of security.

As a leading payment platform serving a diverse class of businesses, we are responsible for the payment elements our merchants have entrusted to us.

To this end, Paystack has ensured its systems conform to the highest and most stringent level of certification available in the payments industry. Paystack has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1.

We educate users, businesses and our customers on the subject of compliance, but there’s this excellent guide we think you should take a look at if you need additional information on the subject of compliance, how to think about it, and how Paystack can help.

Paystack is ISO 27001 certified across all countries of operation. ISO/IEC 27001:2022 is the international leading Standard for Information Security Management Systems (ISMS) and adopts a risk-based approach to information security through people, processes and technology.

Through our certification, we have demonstrated that we ensure the confidentiality, integrity and availability of information assets and the data held on them.

To ensure personal data is protected, and people’s right to privacy is guaranteed, Paystack’s privacy program is aligned to ISO/IEC 27701:2019. We’re also NDPR, NDPA, POPIA and PAIA compliant, as well as holding Data Controller and Data Processor licences in Kenya, and are registered with the Data Protection Commission in Ghana.

Paystack is aligned with the ISO/IEC 22301:2019, the international Standard in security and resilience, Business Continuity Management Systems. Paystack’s alignment with the standard enhances the Company’s ability to maintain essential functions during and after the occurrence of a disaster.

The Business Continuity Management System provides a structured approach to ensuring recoverability from varying criticality of incidents. Paystack’s Business Continuity Program is audited by an independent third party annually and deemed to contain the key components required for ISO 22301 alignment.

Paystack uses an in-house developed Vault application to encrypt, store and transmit cardholder data.

The Vault encrypts cardholder data using a 2048 RSA Key with 3DES 112-bit encryption before storing it in its database. This Paystack Vault hosts its database on Amazon Web Services (AWS) Relational Database Service (RDS) platform. AWS RDS uses the industry standard AES-256 encryption algorithm for encryption of all data-at-rest in the database.

By submitting a security bug or vulnerability to Paystack through HackerOne, you acknowledge that you’ve read and agreed to the programme's terms and conditions.

Please refer to our policy on HackerOne for more information on how to participate in our bug bounty programme.

We mandate the use of HTTPS for all services using TLS (SSL), including our public website and the Paystack Dashboard.

We regularly audit the details of our implementation, including the certificates we serve, the certificate authorities we use, and the ciphers we support. We use HSTS to ensure that browsers only interact with Paystack over HTTPS. Paystack is also on the HSTS preloaded lists for all modern major browsers.

All server-to-sever communication is encrypted using mutual Transport Layer Security (mTLS). Paystack’s systems automatically block requests made using older, less secure versions of TLS, requiring the use of at least TLS 1.2.

Paystack’s Information Security Policy outlines the responsibility of employees, outsourced staff and vendors to ensure the security of Paystack’s network.

The policy provides guidance and direction on key information security themes from clear desk and clear screen and unattended user equipment to using removable media, passwords and participation in Security Awareness Training.

The purpose of our Information Security Policy is to outline the principles that lay the foundation for the security processes in place for Paystack’s data and technology infrastructure. All employees, contingent workers, vendors or any other first or third-party roles with access to information (both personal and corporate data) are subject to this policy.

Please feel free to reach out to us via email at support@paystack.com or via our contact form if you have any questions.