FlexiQ Systems | Toll-Free 0800 006 666 or +27 12 377 1093 | sales@bigoffice.co.za

Payfast Payments

Security & Fraud Prevention

PayFast is committed to keeping you, your customers and all sensitive information secure. We have a multitude of automated and manual checks in place to protect both buyers and sellers from fraudulent transactions. Online retail has a fraud rate between 1 and 2% of all transactions. Through effective controls, PayFast’s is currently below 0,2% and still going down.
PCI-DSS Level 1 Compliant

We use Extended Validation SSL with 256-bit encryption. Only two of the four major South African banks use this –the highest– level of encryption currently available.

All sensitive info is encrypted within our own database.

We run penetration testing on our system on a weekly basis to look for vulnerabilities. We are only required to do it once every three months, but we run it every week.

Our entire site, blog, payments page and help site all are served off secure servers, making it harder to perpetrate phishing attacks.
3D Secure is in place for all credit card transactions.

Two-factor authentication is available to restrict access to your PayFast account.
We use GEO IP tracking to see where transactions are originating from and look for mismatches between this and the card’s issuing country.

Our system automatically checks for suspicious payment velocity.
We use BIN/IIN validation to check for card-issuing bank locations and merchants can choose to enable/disable payments from certain countries.

Payments and card details are automatically checked against large online databases of blacklisted details.
All suspicious transactions are manually reviewed by our stellar Support Team.

3D Secure

3D Secure is an extra layer of security in using your credit card for online transactions. Sellers are asked to enter their 3D Secure password or one time PIN –which they register with their bank– to authenticate that they are the actual cardholder.
Buyers would need to activate 3D Secure on their card via their bank (if they haven’t already done so).
For more information on activating your card for 3D Secure see here.

Activate your card for 3D Secure:

Click on your bank’s logo to activate your card. For any further information, kindly contact your bank.


What is an SSL certificate with Extended Validation (EV)?

SSL certificates with extended validation are considered to be superior to the standard SSL certificate because the authentication process is far more in depth. The certification authority (in our case, Thawte) verifies a raft of additional details including: company registration information, details of the company officers and associated physical and operational addresses. Basically, they verify that we are who we say we are.

When issued with this certificate, a website will display the normal features of the SSL certificate (https and the secure padlock) but will also display the following:

  • The legal owner of the website’s name in address bar (eg. “PayFast (Pty) Ltd”)
  • A green address bar

To date, only 2 of the 4 major South Africa banks use the same level SSL certificate that PayFast now does. So dealing with PayFast could be more secure that dealing with your own bank!

Here are a few screen shots of how you can identify whether a website has been issued with an SSL EV certificate. Note, browsers depict it differently so I have displayed images for several types.

Google Chrome:
EV Certificate Chrome

Internet Explorer:
EV Certificate Internet Explorer

Mozilla Firefox:
EV Certificate Mozilla Firefox


What does this mean for you?

  • PayFast is using the highest SSL security available providing a safe and secure environment for all buyers and receivers thereby assuring payments are not tampered with and minimizing the likelihood of fraud.
  • You can easily spot a phishing website as anyone trying to impersonate PayFast will not have an SSL with EV certificate displaying the legal name of “PayFast (Pty) Ltd”. So always look out for this!

Who Thawte is
Thawte was founded by Mark Shuttleworth and was the first to issue SSL certificates to ‘public entities’ outside of the United States. Thawte was obtained by VeriSign, inc in 2000 and falls into part of the brands that comprise VeriSign.