Is Pay@ Gateway safe? How is my data protected?

4 min read

Quick answer #

Yes. Pay@ Gateway is PCI DSS Level 1 certified — the highest security level for payment processors — and operates under South African Reserve Bank (SARB) and Payments Association of South Africa (PASA) compliance frameworks. We use bank-grade encryption, never store your full card number, and treat your personal data in line with POPIA (the Protection of Personal Information Act). Your card details are never shared with the merchant you bought from.

The certifications that matter #

Pay@ Gateway holds the security certifications that the global payment industry requires:

PCI DSS Level 1 — the highest of the four PCI compliance levels. Audited annually by an external Qualified Security Assessor. Required for processors handling more than 6 million transactions per year.
SARB and PASA compliance — Pay@ operates as a payment service provider registered with South Africa’s central bank and payments association.
POPIA compliance — South African data protection law. We follow it on every transaction.

Pay@ has been processing payments in South Africa since 2007 — 19 years of clean operational history with the major SA banks.

What “card data isn’t stored” means #

When you enter your card number at a Pay@-powered checkout, three things happen:

Your card details go directly to Pay@’s secure systems — they don’t pass through the merchant’s website or get stored on their servers.
Your card number is converted to a token — a unique reference that represents your card without containing the actual number. The token is what the merchant sees and stores.
Your full card number is encrypted and stored only in Pay@’s vaults — protected by the same encryption standards used by banks themselves.

This means even if a merchant’s website is hacked, your card number isn’t exposed. The hackers would only find tokens, which are useless outside Pay@’s system.

What data Pay@ shares with the merchant #

The merchant you bought from sees:

Your name (the one you entered at checkout)
Your billing address (if collected)
Your email address (so they can send the receipt)
The transaction amount and reference
A safe token representing your card — not the card number itself

They do not see:

Your full card number
Your CVV
Your card’s expiry date (except as needed for the transaction)
Your bank account number (if you paid by EFT)

This is true even for businesses that use Pay@’s most direct API integrations.

How 3D Secure protects you #

Every card transaction processed through Pay@ uses 3D Secure 2.0. This is the technology behind the OTP, banking app notification, or biometric check you sometimes see when paying online.

3D Secure works like this:

Your bank assesses every transaction in real-time using over 100 risk signals
Low-risk transactions complete silently — you don’t see a challenge
Higher-risk transactions trigger a verification step where only you can approve

This is the single most effective protection against unauthorised use of your card online. It’s also a legal requirement in South Africa — every online card transaction must go through 3DS.

What you should still do to protect yourself #

3DS and PCI compliance protect you against most fraud, but you can do more:

Check your bank statements monthly. Spot unfamiliar charges early. The sooner you dispute a fraudulent charge, the easier it is to resolve.
Enable transaction notifications. Most banking apps will SMS or push you for every transaction over a small amount.
Don’t share your card or banking app PIN. No legitimate business will ever ask for it — including Pay@.
Be cautious about emails or SMSes claiming to be from Pay@. We don’t ask you to verify card details by email. If something looks suspicious, contact your bank using the number on the back of your card.
Use a card with low limits for online shopping if your bank offers virtual or secondary cards.

What happens if there’s a security incident #

In the unlikely event of a security incident affecting customer data, Pay@ is required by POPIA to notify the Information Regulator and affected individuals within a reasonable timeframe. We’ve never had such an incident in 19 years of operation, and our certifications are designed to prevent one.