Security at PayUsher
We're built to be trusted with your payment stack. Here's exactly how your keys and data are handled — in plain terms.
We never touch your money.
Your gateways still settle directly to your own bank, exactly as they do today. PayUsher reads your data — it is never in the funds flow.
Read-only, scoped access.
We ask for restricted, read-only keys wherever your provider supports them. PayUsher can see transactions — not move or refund them.
Credentials encrypted, isolated.
Gateway keys are encrypted at rest and only ever travel over TLS, stored isolated per workspace — never exposed in the browser.
Outside your PCI scope.
PayUsher works with transaction metadata, not raw cardholder data — so connecting us does not widen your compliance burden.
How we protect your credentials
- Gateway credentials are encrypted at rest and isolated per workspace.
- Keys only ever travel over TLS, and are never exposed in your browser.
- We request read-only, scoped keys wherever your provider supports them.
- Rotate or revoke any connection in one click — access ends immediately.
The data we access — and the data we don't
Compliance
We don't claim certifications we don't hold. Formal certifications such as SOC 2 and PCI DSS are on our roadmap. Today we follow the practices behind them — read-only scoped access, encryption at rest and in transit, least-privilege data handling, and no fund custody. If you have specific compliance requirements, talk to us.
Reporting a vulnerability
Found a security issue? We take responsible disclosure seriously. Email security@payusher.io and we'll respond promptly. Please give us a reasonable window to fix issues before public disclosure.
Security FAQ
- Can PayUsher move my money or issue refunds?
- No. PayUsher requests read-only, scoped keys wherever your provider supports them, and it's never in the funds flow — your gateways still settle directly to your own bank. We add the unified view, not a middleman.
- Where are my gateway API keys stored?
- Encrypted at rest and isolated per workspace. Keys only ever travel over TLS and are never exposed in your browser. You can rotate or revoke them at any time.
- Do you store card numbers or cardholder data?
- No. PayUsher works with transaction metadata — amounts, statuses, timestamps — not raw card numbers or CVVs. Connecting us doesn't widen your PCI scope.
- What happens when I disconnect a gateway?
- Access ends immediately. Disconnect or rotate keys whenever you want — no email, no waiting period.
- Who on my team can see our data?
- Only the people you invite to your workspace, with role-based access so you control who can see and do what.
- Do you have SOC 2 or PCI certification?
- Not yet — formal certifications are on our roadmap. Today we follow the practices behind them: read-only scoped access, encryption at rest and in transit, least-privilege data handling, and no fund custody. If you have specific compliance requirements, talk to us.
Last reviewed · June 2026