PayGate Dev Docs
Merchants
API RefHomeSign UpSandboxSupport

PCI Compliance

Payfast is a PCI DSS Level 1 payment service provider. Using Payfast ensures card data is processed in a secure, audited environment. Merchants remain responsible for meeting their own PCI obligations appropriate to their integration and business.

PCI Compliance (with Payfast)

Payfast's robust security protocols significantly reduce the complexity of achieving and maintaining PCI compliance for merchants. This focus on security allows businesses to concentrate on core operations, knowing their payment processing is handled with the utmost diligence.

What PCI DSS means

  • PCI DSS is the global security standard for anyone who stores, processes, or transmits cardholder data.
  • Your precise scope depends on whether card data ever touches your systems and the integration pattern you use.
  • When card data is captured and processed by a vetted provider like Payfast (e.g., redirect or Payfast’s onsite overlay), your scope is typically reduced, but not eliminated—confirm requirements with your acquirer.

Your responsibilities

  1. Don’t handle card data on your servers or in the browser beyond Payfast’s secure fields/overlay.
  2. Use HTTPS on all pages involved in checkout, especially return_url, cancel_url, and notify_url (ITN).
  3. Validate every ITN: verify Payfast signature, confirm Payfast source IPs, and match amounts/order IDs before fulfilling.
  4. Keep secrets safe: never expose merchant key/passphrase in front-end code; generate signatures server-side.
  5. Complete the correct PCI validation (SAQ, etc.) with your acquirer based on your setup (redirect vs. onsite, hosting, etc.).
  6. Monitor & maintain: patch servers, restrict access, rotate keys, and log/alert on suspicious activity.

Certificates & references

  • Payfast PCI DSS Level 1 certificate (official): see the PCI page and compliance documents.
  • About PCI DSS (PCI SSC Quick Reference Guide) for merchants and service providers.

Note: Payfast’s Onsite keeps buyers on your site with a Payfast-hosted overlay/script; ensure your implementation does not intercept or store card data anywhere in your stack. Consult your acquirer for the exact SAQ and controls for your business.

For more details on PCI compliance, check out our blog post or the PCI Security Standards best practices. You can also use the PCI self-assessment questionnaire if needed.

Updated 8 months ago