Security
Security is foundational, not optional
PerfectPay handles sensitive payment data for businesses across every industry. We take that responsibility seriously — with strong card-data controls, encryption everywhere, and a clear shared responsibility model so you know exactly what we secure and what you own.
How we protect your data
Enterprise-grade security infrastructure from day one.
Encryption Everywhere
TLS 1.3 in transit. AES-256 at rest. Card data tokenized and vaulted in PCI-compliant infrastructure. Raw card numbers never touch your servers.
PCI-Aligned Card Data Controls
Tokenization, encrypted vaulting, network isolation, and operational controls designed to support PCI-DSS v4 requirements for card data handling.
Monitoring & Alerting
Real-time transaction monitoring, anomaly detection, and automated alerting. Suspicious activity flagged instantly.
Infrastructure Security
Deployed on AWS with VPC isolation, security groups, WAF, and DDoS protection. All infrastructure defined as code with automated compliance checks.
Audit Trails
Every API call, every transaction, every configuration change logged with timestamps, user IDs, and IP addresses. 365-day retention for compliance.
Security is a partnership
PerfectPay secures the platform and infrastructure. You secure your integration and business processes. Agents participating in a transaction must stay within the scopes and controls granted to them. Here's exactly where the line is drawn.
Encrypt all payment data in transit (TLS 1.3) and at rest (AES-256). Tokenize card data in PCI-compliant vault. Manage encryption keys.
Never store raw card numbers in your own systems. Use PerfectPay tokens instead of handling card data directly.
Never persist raw card data. Use delegated credentials, tokens, or explicit checkout authorization flows provided by the customer or merchant.
Payment Data Encryption
Encrypt all payment data in transit (TLS 1.3) and at rest (AES-256). Tokenize card data in PCI-compliant vault. Manage encryption keys.
Never store raw card numbers in your own systems. Use PerfectPay tokens instead of handling card data directly.
Never persist raw card data. Use delegated credentials, tokens, or explicit checkout authorization flows provided by the customer or merchant.
Maintain PCI-aligned controls for card data handling, tokenization, encryption, and vault isolation. Provide tooling that helps reduce your PCI scope.
Complete your SAQ (Self-Assessment Questionnaire) for your reduced scope. Ensure your integration follows PCI guidelines.
Operate within merchant- and platform-approved checkout flows so card data exposure stays minimized and scoped correctly.
PCI-DSS Compliance
Maintain PCI-aligned controls for card data handling, tokenization, encryption, and vault isolation. Provide tooling that helps reduce your PCI scope.
Complete your SAQ (Self-Assessment Questionnaire) for your reduced scope. Ensure your integration follows PCI guidelines.
Operate within merchant- and platform-approved checkout flows so card data exposure stays minimized and scoped correctly.
Issue and manage API keys. Enforce key-based authentication on all endpoints. Rate limiting and abuse detection.
Keep API keys secret. Rotate keys regularly. Never expose keys in client-side code or public repositories.
Use only delegated credentials or scoped tokens issued for that agent and never attempt to reuse merchant secrets outside approved scope.
API Authentication
Issue and manage API keys. Enforce key-based authentication on all endpoints. Rate limiting and abuse detection.
Keep API keys secret. Rotate keys regularly. Never expose keys in client-side code or public repositories.
Use only delegated credentials or scoped tokens issued for that agent and never attempt to reuse merchant secrets outside approved scope.
Provide multi-factor authentication (MFA). Session management and timeout policies. Suspicious login detection.
Enable MFA for all team members. Use strong, unique passwords. Review account access regularly and remove departed employees.
Respect delegated account boundaries and require fresh approval or re-authentication when authority changes or expires.
Account Security
Provide multi-factor authentication (MFA). Session management and timeout policies. Suspicious login detection.
Enable MFA for all team members. Use strong, unique passwords. Review account access regularly and remove departed employees.
Respect delegated account boundaries and require fresh approval or re-authentication when authority changes or expires.
Provide fraud detection integrations (Riskified, Signifyd, Kount). Card testing protection. Velocity checks.
Configure fraud rules for your risk profile. Review flagged transactions. Respond to chargeback disputes promptly.
Submit transparent purchase context, honor merchant restrictions, and avoid behavior that looks like scraping, card testing, or unauthorized automation.
Fraud Prevention
Provide fraud detection integrations (Riskified, Signifyd, Kount). Card testing protection. Velocity checks.
Configure fraud rules for your risk profile. Review flagged transactions. Respond to chargeback disputes promptly.
Submit transparent purchase context, honor merchant restrictions, and avoid behavior that looks like scraping, card testing, or unauthorized automation.
Verify agent authorization credentials. Enforce spending scope limits. Log all agent-initiated transactions. Provide instant revocation.
Define appropriate spending scopes for agents you authorize. Monitor agent transaction logs. Revoke agent credentials when no longer needed.
Act only within delegated limits, preserve approval chains, and stop transacting immediately when scopes are revoked or challenged.
Agent Commerce Security
Verify agent authorization credentials. Enforce spending scope limits. Log all agent-initiated transactions. Provide instant revocation.
Define appropriate spending scopes for agents you authorize. Monitor agent transaction logs. Revoke agent credentials when no longer needed.
Act only within delegated limits, preserve approval chains, and stop transacting immediately when scopes are revoked or challenged.
Process data per our Privacy Policy. GDPR and CCPA compliance infrastructure. Data retention and deletion policies.
Obtain customer consent for data collection. Honor data deletion requests. Comply with privacy laws applicable to your business.
Use only the minimum data required to complete the task and avoid retaining personal data beyond the authorized transaction context.
Data Privacy
Process data per our Privacy Policy. GDPR and CCPA compliance infrastructure. Data retention and deletion policies.
Obtain customer consent for data collection. Honor data deletion requests. Comply with privacy laws applicable to your business.
Use only the minimum data required to complete the task and avoid retaining personal data beyond the authorized transaction context.
Maintain 99.99% uptime SLA. Redundant infrastructure. Automated failover. Real-time monitoring and incident response.
Implement webhook retry logic. Handle API timeouts gracefully. Monitor your integration health.
Handle retries safely, avoid duplicate submissions, and degrade gracefully when upstream services are unavailable.
Infrastructure & Uptime
Maintain 99.99% uptime SLA. Redundant infrastructure. Automated failover. Real-time monitoring and incident response.
Implement webhook retry logic. Handle API timeouts gracefully. Monitor your integration health.
Handle retries safely, avoid duplicate submissions, and degrade gracefully when upstream services are unavailable.
Sign all webhook payloads with HMAC. Provide signature verification libraries. Deliver over HTTPS only.
Verify webhook signatures before processing. Use HTTPS endpoints. Respond to webhooks within timeout window.
Do not trust webhook payloads without merchant or platform verification. Consume downstream events only through approved channels.
Webhook Security
Sign all webhook payloads with HMAC. Provide signature verification libraries. Deliver over HTTPS only.
Verify webhook signatures before processing. Use HTTPS endpoints. Respond to webhooks within timeout window.
Do not trust webhook payloads without merchant or platform verification. Consume downstream events only through approved channels.
Maintain security controls aligned to applicable payment and financial regulations. KYC/KYB verification infrastructure.
Comply with regulations specific to your industry and jurisdiction. Provide accurate business information during onboarding.
Operate within allowed jurisdictions, merchant rules, and human-approved mandates so automated transactions do not exceed legal or policy boundaries.
Regulatory Compliance
Maintain security controls aligned to applicable payment and financial regulations. KYC/KYB verification infrastructure.
Comply with regulations specific to your industry and jurisdiction. Provide accurate business information during onboarding.
Operate within allowed jurisdictions, merchant rules, and human-approved mandates so automated transactions do not exceed legal or policy boundaries.
Report a security vulnerability
If you discover a security vulnerability in PerfectPay, please report it responsibly. We take every report seriously and will respond within 24 hours.
[email protected]Stop overpaying.
Start settling instantly.
Join the merchants, platforms, and developers switching to smarter payments infrastructure.