Core principles
Protect data in transit
Public website traffic is served over HTTPS with strict transport and browser security headers. Production payment interfaces should use authenticated, encrypted transport throughout.
Minimise collection
The public enquiry form asks only for business contact and project information. It must not be used to submit cardholder data, credentials or identity documents.
Limit access
Access to merchant and operational data should follow job responsibility, strong authentication and reviewable account administration.
Trace important events
Payment operations benefit from consistent references and event histories for authorisation, failure, refund and settlement follow-up.
Merchant responsibilities
Merchants remain responsible for securing their accounts, protecting integration credentials, validating webhook authenticity and following the technical and operational instructions agreed during onboarding.
Report a concern
Send suspected vulnerabilities to [email protected]. Include the affected URL, reproducible steps and impact. Do not include live cardholder data.