Security at Paystack
Paystack is a PCI-certified, auditor certified, PCI Service Provider Level 3. All connections to our services are forced to happen over HTTPS using TLS 1.2 (SSL). We use HSTS to ensure browsers interact with Paystack only over HTTPS.
Card details are encrypted using AES-256 GCM while the decryption keys are stored on a separate machine. As such, cards are not stored as plain numbers but securely hidden even from Paystack personnel and systems. The only actions our systems can take is to request that card details be sent to a service provider.
Paystack has developed an internal decision support system that uses intelligent rules to determine the risk factor of a transaction or customer and blocking payment from being made if it does not pass the necessary checks. This decision is based on a combination of multiple factors such as geolocation, IP addresses, purchase and behaviour history, and so on.
Merchants on our platform have also been equipped with a dashboard that allow them to whitelist or blacklist customers that have been fraudulent, which further helps our general system to learn and prevent such behavior. Our Fraud & Dispute Team is constantly at work developing processes for identifying fraud patterns to improve our Fraud Prevention system.