Built to bank-grade. Audited and re-audited.
The security stance, written in plain English. No marketing fog — just what we actually do.
Encryption
All traffic uses TLS 1.2+ with HSTS. Data at rest is encrypted with AES-256. Card numbers are never stored — we hold a one-way HMAC fingerprint that satisfies PCI DSS 4.0 §3.5.1.3.
Card data handling
We tokenise on capture, vault at the gateway, and only ever store BIN, last 4, brand, and a fingerprint. Tokens are scoped per merchant and per environment (test / live).
3D Secure
Frictionless 3DS 2.x is enabled by default for European-issued cards and high-risk transactions. We support PSD2 SCA exemption flows and Visa Secure / Mastercard Identity Check.
FraudGate
10-layer real-time fraud detection running on every transaction. 4-phase pipeline: hard blocks → ML scoring (6 parallel scorers) → rule engine → decision (allow / 3DS challenge / block).
Access control
Role-based access in the merchant dashboard. SSO available on Enterprise. MFA required for all Fyber staff and recommended for all merchants.
Audit logging
Every state change in the platform — payment, refund, dispute, settings — is logged immutably with actor, timestamp, IP, and user-agent. 7-year retention.
Infrastructure
Hardened cloud infrastructure behind a global CDN. Multi-replica deployment with rolling-update healthchecks. Daily encrypted database backups; tested restores monthly.
Vendor security
Every sub-processor that handles merchant or cardholder data is listed publicly. We notify merchants 30 days before adding or replacing any sub-processor.
Found a vulnerability?
Tell us — we'll respond fast and you have safe harbor.
Acknowledgement within 2 business days, first triage within 7. Critical issues remediated within 7 days. Read the full programme on our responsible-disclosure page.
Ready to start with confidence?
Free to get started. Full PCI scope handled by us.