Skip to main content

Security & Compliance

Updated

Payment Security Overview

  • iStore Pay Tap to Pay transactions are as secure as regular Chip and PIN card payments. 
  • The use of biometric security (Face ID / Touch ID) on the iPhone adds an additional layer of protection.
Security Feature Detail
Certifications L3 Certified by Visa and Mastercard
PCI compliance PCI DSS compliant
CPoC standard Contactless Payments on COTS (CPoC) — certified by PCI Security Standards Council
Biometric security Face ID / Touch ID required on merchant's device

Contactless Payment Security Architecture

The security of Tap to Pay on iPhone is built on three components:

  • Secure Element
    • The Secure Element hosts the payment kernels that read and secure contactless payment card data. Payment card information (such as the card number / PAN) is secured by the Secure Element and is not visible to the merchant's device.
  • NFC Controller
    • The NFC controller handles near field communication protocols and routes communication between the Application Processor, the Secure Element, and the contactless payment card.
  • Tap to Pay on iPhone Servers
    • These servers manage the setup and provisioning of payment kernels on the device. They monitor device security in compliance with the CPoC standard from PCI SSC and are PCI DSS compliant.

Customer Data Protection

  • Tap to Pay on iPhone does not collect transaction information that can be tied back to the customer who paid using their card.
  • Certain non-identifying payment information stays between the merchant's Payment Service Provider, the payer, and the card issuer.

Anti-Money Laundering (AML)

  • Transaction monitoring is a regulated Anti-Money Laundering (AML) process and a legal requirement for certain institutions including iStore Pay.
  • It involves monitoring the flow of money to detect and prevent money laundering and terrorist financing.
  • AML compliance covers activities including smuggling, illegal arms sales, embezzlement, insider trading, bribery, computer fraud, and organised crime (human, arms, and drug trafficking). It is closely related to Counter-Financing of Terrorism (CFT).
  • iStore Pay and its partners reserve the right to monitor transactions and take action against any merchant found to be in breach of the merchant agreement however they see fit to do so.

Fraud

What is fraud in a payments context?

  • Fraud is any intentional act of deception carried out to gain an unfair or unlawful financial benefit. This can include:
    • Unauthorised use of a customer's card
    • Attempts by a merchant to misuse the payment system (for example through illegitimate refunds, chargebacks, or fabricated transactions).

 

  • Please note that there is a difference between fraud on a specific transaction level and on an overall merchant level.

    • If a specific transaction is being investigated for fraud, the merchant will continue to transact and receive payouts as normal, except for the specific transaction, which will be withheld until the investigation is completed and the outcome determined.
    • If fraud is suspected on a merchant level, the account being investigated will not be able to transact or receive payouts until investigation is completed and the outcome determined.

     

  • You can reduce fraud risk by:
    • Checking the condition of the card (that it is in a good condition, not damaged or stuck together).
    • Verify the cardholder's identity for high-value transactions.
    • Watch for suspicious customer behavior (multiple declined attempts, rushing to leave, etc.).
    • Keep detailed records of transaction, invoices, proof of delivery slips etc.

 

  • If you suspect a fraudulent transaction, you should:
    • Secure Evidence: Save CCTV footage, receipts, and any identification provided.
    • Ask for proof of Identification and make a copy of this or take a picture if possible.
    • Make a copy of the card if possible.
    • Do Not Complete the Sale: If the transaction is declined or highly suspicious, refuse the sale.

 

  • Post-Incident Actions
    • Report the transaction immediately to iStore Pay as soon as it's safe to do so. This is to help prevent chargebacks and stop further fraud.
    • Report the incident at your nearest SAPS to create an official record.
    • To report suspected fraud please contact us via any of our Support Channels and send all the evidence as per above.
    • iStore Pay will investigate the matter and revert in writing to the merchant on the next steps to be taken.

 

  • Payout on Fraudulent Transactions
    • In the event a transaction is suspected to be fraudulent, the merchant will be contacted by iStore Pay and asked to produce evidence of a legitimate transaction eg: receipts, proof of delivery etc.
    • If the evidence is not substantial or inconclusive the transaction will be refunded and the funds deducted from the merchant’s payout.
    • Transactions can by law be investigated and refunded up to 6 months from the date of the transaction.

 

  • Automatic Fraud Monitoring
    • iStore Pay & its affiliates perform automatic and random fraud monitoring checks (transaction velocity checks, unusual patterns, geographic anomalies etc...)
    • In the event a merchant is suspected of fraudulent activity iStore Pay will be informed, however the merchant being investigated is not to be notified.
    • Suspected fraudulent transactions will be withheld from payout until the investigation is complete.

Account Suspension & Termination Due to Fraud

  • Accounts suspected of fraudulent activity will be suspended pending investigation.
  • Accounts could be suspended due to a chargeback rate higher than 1% of transaction totals, a high number of fraudulent transactions or other reasons. iStore Pay and its affiliates have the right to suspend any account for any reason they deem fit.
  • The investigation will be conducted and an outcome concluded within a 48hr period unless unforeseen circumstances arise.
  • Merchants will not be notified at the time due to risk.
  • Any account found to be operating in a fraudulent manner will be terminated.
  • In the event of an account being terminated there will be no appeal process and the decision is final.
  • Merchants will not be allowed to sign up again using any of the companies or director’s details that were used on the terminated account.
  • Any outstanding funds linked to fraudulent transactions not yet settled will be withheld from the merchant.

Privacy & POPIA

iStore Pay is committed to complying with the Protection of Personal Information Act 4 of 2013 (POPIA).

Information Collected

  • iStore Pay collects, stores, and uses the following personal information:
    • First name(s) and surname
    • Address
    • Phone numbers
    • Email address
    • IP address and cookie information
    • Location information
    • Demographic information (age, gender)
    • Browser and hardware information (hardware model, OS version, unique device identifiers)
    • Transaction details

How Information is Used

  • Collected information is used for:
    • Contracting and enabling secure payment acceptance in compliance with applicable regulations
    • POS solution usage
    • Responding to requests for information, products, or services
    • Customising content
    • Communicating about new offers
    • Internal reporting and development
    • Any other purpose with the user's permission, or as permitted/required by law
    • iStore Pay may use some of your information to promote other services which may be relevant to you.

Data Retention

  • Information is retained in accordance with legally required retention periods or for legitimate business purposes.
  • Information may be kept indefinitely in a de-identified format for statistical purposes.
  • The privacy policy applies throughout the retention period.
  • Certain records are retained for five years per statutory obligations.

Correcting Personal Information

  • You can request correction or removal of inaccurate information through the iStore Pay App or by contacting us via any of our support channels.

Lawful Use, Prohibited Industries and Transactions

Fair and Lawful Use of iStore Pay

💡 iStore Pay may not be used for any transaction that is unlawful, fraudulent, or that promotes, supports, or facilitates hate speech, violence, discrimination, or any activity in breach of applicable law. iStore Pay reserves the right to suspend or terminate any account found to be in breach of these provisions and to report such activity to the relevant authorities.

iStore Pay is meant to be used in the ordinary course of your business. We may review your account where your usage looks unusual, including:

  • Transactions that do not match the business activity you disclosed at sign-up.
  • Patterns that abuse the product, such as splitting transactions, repeated nominal-value transactions, excessive authorisation requests, or unusual refund patterns.
  • Any of the activities listed as Prohibited Transactions.
  • Any usage that is likely to expose iStore Pay or Glimmer to scheme fines, compliance issues or reputational harm.

Where we identify a fair-use concern, we may, depending on how serious it is:

  1. Send you a warning and ask for more information.
  2. Throttle or limit your processing while we review.
  3. Suspend your account.
  4. In serious or repeated cases, close your account.

Prohibited Industries  

Below is a list of prohibited industries that are prohibited from using iStore Pay as a payment platform.

  • Airlines
  • Betting, Casino Gaming
  • Dating and Escort Services
  • Direct Marketing – Insurance Services
  • Door-to-Door Sales
  • Direct Marketing – Combination Catalogue and Retail Merchants
  • Direct Marketing – Continuity / Subscription Merchants
  • Direct Marketing – Other Direct Marketers (not elsewhere classified)
  • Government Services (not elsewhere classified)
  • Bridge and Road Fees, Tolls
  • Court Costs including Alimony and Child Support
  • Fines
  • Tax Payments
  • Government Services (not elsewhere classified)
  • Postal Services – Government Only
  • Intra-Government Purchases – Government Only
  • Massage Parlors
  • Securities Brokers / Dealers
  • Insurance Sales, Underwriting, and Premiums
  • Timeshares

Note: This list outlines categories only and is not an exhaustive list.

What Happens if You Are Found in a Prohibited Category

If we identify that your business falls into a prohibited category, or that you have processed transactions for prohibited goods or services, we will normally do the following:

  1. Notify you that we are reviewing your account.
  2. Suspend your ability to accept new transactions while we investigate.
  3. Hold any pending settlement amounts and, if needed, set up a Reserve Account.
  4. Where required, report the matter to the card schemes, our settlement partner, banks, regulators or law-enforcement authorities.
  5. Close your account if the breach is confirmed and pay out any remaining balance once chargeback risk has passed.

If you are unsure whether your business falls into a prohibited or restricted category, please contact us via any of our Support Channels before you start trading. It is much easier to confirm fit upfront than to unwind transactions later.

Things You Cannot Use iStore Pay For

You must not use iStore Pay to process any of the following:

  • Cash advances or quasi-cash - giving a cardholder cash (or a cash equivalent like a money order, voucher, prepaid card or cryptocurrency) in return for a card payment.
  • Self-funding - taking a payment from your own card, your business’s card, or any card linked to your Nominated Bank Account, to move money into the account.
  • Circular payments - any pattern of payments that loops money between connected accounts rather than reflecting a real sale.
  • Debt collection - taking a card payment to settle a debt owed to a third party.
  • Money transmission - moving money on behalf of someone else, including peer-to-peer transfers.
  • Currency exchange - converting one currency into another for a fee.
  • Sale of stored value or prepaid instruments - selling vouchers, gift cards, prepaid cards, e-wallet top-ups or similar instruments.
  • Sub-merchant transactions - accepting payments on behalf of another business, even one that you own or are connected to.
  • Third-party transactions - taking a card payment for goods or services that are sold by someone else.
  • Splitting transactions - breaking one sale into two or more separate transactions to get around an authorisation limit, a transaction limit or any other control.
  • Transactions outside South Africa - using the iStore Pay App on a device located outside South Africa, unless we have agreed to this in writing.
  • Transactions on your own card - accepting a payment using a card issued in your own name, in the name of a partner, director or other officer of your business, or of their spouse or any member of their immediate family or household.
  • Sale of restricted or prohibited goods - any goods or services in the categories listed in Prohibited and Restricted Businesses.
  • Goods or services outside your registered business activity - anything that falls outside the description of your business given in your Application Form.
  • Excessive authorisation requests or repeated nominal-value transactions - patterns that look like the iStore Pay product is being abused or tested rather than used in the ordinary course of business.

⚠️ Anyone of these items, even on its own, can trigger a fair-use review. See Fair Use

 

 

Was this article helpful?

0 out of 0 found this helpful
Return to top

Related articles