Skip to main content

How Secure is PayMongo?

Our commitment to protecting your business and customers

Updated this week

At PayMongo, security is not just a feature – it's a foundational commitment embedded in every aspect of our operations. We understand that safeguarding your business's sensitive data and your customers' financial information is paramount. This article provides a comprehensive overview of the robust security measures, industry standards, and advanced protocols PayMongo employs to ensure that all transactions and data within our platform are protected against risks and fraud, allowing you to focus on your business with peace of mind.


Foundational Security Standards: PCI DSS Compliance

PayMongo adheres to the highest global standards for payment security to protect cardholder data.

  • PCI Service Provider Level 1 Compliant: PayMongo is certified as a PCI Service Provider Level 1. This means we have undergone and successfully passed stringent audits by an independent, PCI-certified auditor.

  • Adherence to PCI-DSS: This compliance signifies our adherence to the Payment Card Industry Data Security Standard (PCI-DSS), a comprehensive set of technical and operational requirements established by the major card brands (Visa, Mastercard, etc.). PCI-DSS ensures that card information is protected and secure at all stages of transmission and processing.


Robust Data Protection and Encryption

Protecting your sensitive data and your customers' financial information is central to PayMongo's security architecture.

  • Encryption: PayMongo employs strong encryption techniques to defend against malicious attempts to steal and misuse collected data. This applies to data exchanged between servers and endpoints, ensuring that sensitive information remains unreadable to unauthorized parties.

  • Authentication: Access to data and information collection within PayMongo's systems is strictly limited to authorized users and applications through rigorous authentication mechanisms.

  • Tokenization: PayMongo utilizes tokenization to keep sensitive card information secure on our servers. When a card is used, the actual card details are converted into a unique, non-sensitive "token." This token is then used for subsequent transactions, protecting the original card number from exposure to malicious agents.

  • HTTPS Everywhere (SSL/TLS): All interactions with PayMongo, including our website, merchant Dashboard, and APIs, are exclusively conducted through HTTPS (Hypertext Transfer Protocol Secure). This ensures that all data transmitted between your browser/system and PayMongo is encrypted, preventing "man-in-the-middle" attacks where malicious actors attempt to intercept data.

  • HSTS Implementation: PayMongo implements HTTP Strict Transport Security (HSTS). This web security protocol forces web browsers to interact with PayMongo services exclusively over HTTPS, further enhancing protection against certain types of cyber-attacks and ensuring a secure connection. PayMongo is included in the HSTS preload lists of major web browsers for added security.


Advanced Fraud Prevention: 3D Secure Protocols and Fraud Detection

PayMongo employs advanced protocols like 3D Secure and sophisticated fraud detection systems to minimize the risk of fraudulent card transactions.

  • 3D Secure (3DS):

    • What it is: 3D Secure (3DS, or 3DS 2.0) is a security protocol that adds an extra layer of authentication for online credit and debit card transactions. When a customer makes a payment, they may be prompted by their issuing bank to complete an additional verification step (e.g., entering a one-time password sent to their phone, answering a security question).

    • Protection for Merchants and Customers: PayMongo's card processing partners often mandate support for 3D Secure to maximize security and protect both merchants and their customers from risky or fraudulent transactions. Transactions from cards that do not support 3D Secure may be declined.

    • Benefits: This additional authentication step helps to:

      • Reduce Fraud: Makes it significantly harder for unauthorized users to make purchases with stolen card details.

      • Shift Liability: In many cases, liability for fraudulent chargebacks shifts from the merchant to the card-issuing bank when 3D Secure authentication is successfully performed.

  • Machine Learning-Powered Fraud Detection:

    • PayMongo employs a robust machine learning engine specifically designed to detect and combat fraud.

    • This engine analyzes a vast array of signals from historical and real-time transaction data.

    • This advanced technology allows PayMongo to accurately predict and actively protect merchants from fraud attacks and malicious actors.

  • Dedicated Fraud and Risk (F&R) Team:

    • PayMongo has a specialized Fraud and Risk (F&R) Team.

    • This team is responsible for continuously building and managing sophisticated risk assessment rules.

    • They utilize data science and analytics to identify emerging fraud patterns and implement internal risk parameters, ensuring the ongoing security and integrity of the platform.


Secure Infrastructure and Network Security

PayMongo's platform is built on a robust and secure infrastructure designed to protect against various cyber threats.

  • Cloud-Based Security: Leveraging secure cloud infrastructure, PayMongo benefits from advanced physical and environmental security measures, robust network controls, and extensive monitoring capabilities provided by leading cloud providers.

  • Regular Security Updates: PayMongo's systems are continuously updated with the latest security patches and configurations to guard against emerging vulnerabilities.

  • Firewalls and Intrusion Detection: Our network employs firewalls and intrusion detection/prevention systems to monitor and control incoming and outgoing network traffic, protecting against unauthorized access and malicious activity.


Continuous Security Audits and Monitoring

Security at PayMongo is an ongoing process, not a one-time setup.

  • Independent Audits: As a PCI Service Provider Level 1, PayMongo undergoes regular and stringent audits by independent, PCI-certified auditors to ensure continuous compliance with the highest security standards.

  • Vulnerability Scanning and Penetration Testing: Our systems are regularly subjected to vulnerability scanning and penetration testing by third-party security experts to identify and remediate potential weaknesses before they can be exploited.

  • 24/7 Monitoring: PayMongo employs continuous, 24/7 monitoring of its systems and networks to detect and respond to any unusual activity or potential security incidents promptly.


Security as a Shared Responsibility

While PayMongo takes extensive measures to secure its platform, security is a shared responsibility. Your business also plays a crucial role in maintaining overall security.

  • Best Practices for Merchants: Implementing strong password policies, securing your own systems, and following secure coding practices when integrating via API are essential complements to PayMongo's security efforts.

Did this answer your question?