Is PayFast PCI Compliant?

Yes, PayFast is PCI DSS Level 1 Service Provider, which is the highest level possible.

What is PCI Compliance?

PCI DSS stands for Payment Card Industry Data Security Standard and is a PASA (Payment Association of South Africa) regulation in South Africa. This means any company accepting credit card payments on their website needs to comply in some way. When you accept card payments on your website, you need to make sure you process cardholder data in a secure environment and this is where PCI compliance comes in.

Luckily, because PayFast is PCI Compliant, you don't have to be, so rest assured all your customer's credit card payments are done in our secure environment.

What is 3D Secure 2?

3D Secure (often known by its branded names of Visa Secure and Mastercard Identity Check) is a security protocol that protects a buyer's credit card against unauthorised use when shopping online. This simple service enables buyers to validate transactions they make over the internet by requesting a personal code (usually sent to their cell phone or email address as a one time PIN or push notification). It helps protect against fraudulent use by unauthorised individuals. You can find out more about how 3D Secure works here

In 2019 an improved version of 3D Secure, called 3D Secure 2 (also known as 3DS2, EMV 3-D Secure or 3D Secure 2.0), was released as an improved level of authentication that is mobile-first and caters for a better user experience. 

The most important new features of 3D Secure 2 are as follows:

Frictionless authentication

3D Secure 2 uses frictionless authentication that allows card-issuing banks to verify cardholders and approve transactions without requiring manual input from the buyer, which is a faster and more accurate method than the first version of 3D Secure. This is achieved through risk-based authentication (RBA), which involves sending data about the cardholder and the transaction to the issuing bank who then compares it to the cardholder’s historical transactional data to determine fraud risk. If the risk is low then the payment is processed without the need for the cardholder to verify the transaction. If there is any risk, then the cardholder will be challenged to provide additional input to authenticate the payment.

Improved user experience

3D Secure 2 has been designed to use dynamic authentication methods such as biometrics and token-based authentication, facilitating a faster and unobtrusive authentication process. This is ideal for the smartphone environment and mobile banking apps, as it allows cardholders to authenticate their payment through their banking app using facial recognition or a fingerprint, for example. 

With 3D Secure 2 there are no more page redirects, but rather the authentication request appears as a modal on the checkout page, bypassing the need for buyers to be redirected away from the checkout page to complete their payment, which has previously been associated with cart abandonment. 

How does 3D Secure affect international card holders?

In order to fully answer this question, context about 3D Secure in the world needs to be explained.


Worldwide standard

3D Secure is not unique to South Africa and is a system in use throughout the world as per Visa and Mastercard guidelines.

Visa and Mastercard divide the world up into regions and standards are implemented at different times in different regions as per Visa and Mastercard and local authorities. 

Most issuing banks around the world have the infrastructure to process 3D Secure transactions and have been participants in the program for a number of years. This includes banks in all regions.

3D Secure in South Africa

As of February 2014, it was (and still is) required for all SA ecommerce merchants to implement 3D Secure on all credit card transactions. As a result, all SA banks are ready for it and will be used for all ecommerce transactions. Customers will be aware of it as it will be in use on all online stores and banks and merchants are together educating the card holding public about it.

3D Secure for international card holders

For international card holders where their territories have already undergone 3D Secure implementation (e.g. United Kingdom), there will be limited impact to them and they will mostly be aware of and familiar with 3D Secure authentication.

For international card holders where their territory has not yet undergone 3D Secure implementation (e.g. United States), there will be some educational challenges. For these cardholders, most of their banks are ready to process 3D Secure transactions, but because it hasn't been required by their local online stores, card holders are generally unaware of the program and little effort is spent educating the public about it.

This means that the 3D Secure page which appears from their bank, will be unexpected by a US card holder and they will more than likely not be aware of the program. They may also have challenges with regards to registration as their bank will not be used to fielding queries concerning 3D Secure. The US will be the last region in the world to see the introduction of 3D Secure, but the process is scheduled to start within the next few years.

The only approach that one can take to deal with this disconnect is to educate all buyers (but specifically foreign buyers) about 3D Secure, its benefits and what to expect from it. Educating them that it is a Visa & Mastercard program, that the 3D Secure page is served from their bank and if possible, finding resources specific to their bank to assist them in successfully using the service (these can generally be found online).