Security

Security at PayUsher

We're built to be trusted with your payment stack. Here's exactly how your keys and data are handled — in plain terms.

We never touch your money.

Your gateways still settle directly to your own bank, exactly as they do today. PayUsher reads your data — it is never in the funds flow.

Read-only, scoped access.

We ask for restricted, read-only keys wherever your provider supports them. PayUsher can see transactions — not move or refund them.

Credentials encrypted, isolated.

Gateway keys are encrypted at rest and only ever travel over TLS, stored isolated per workspace — never exposed in the browser.

Outside your PCI scope.

PayUsher works with transaction metadata, not raw cardholder data — so connecting us does not widen your compliance burden.

How we protect your credentials

  • Gateway credentials are encrypted at rest and isolated per workspace.
  • Keys only ever travel over TLS, and are never exposed in your browser.
  • We request read-only, scoped keys wherever your provider supports them.
  • Rotate or revoke any connection in one click — access ends immediately.

The data we access — and the data we don't

What we readTransaction metadata — amounts, statuses, timestamps, and gateway health.
What we never touchRaw cardholder data (PAN/CVV) and your settled funds.
Funds flowYour gateways settle directly to your own bank, exactly as they do today.

Compliance

We don't claim certifications we don't hold. Formal certifications such as SOC 2 and PCI DSS are on our roadmap. Today we follow the practices behind them — read-only scoped access, encryption at rest and in transit, least-privilege data handling, and no fund custody. If you have specific compliance requirements, talk to us.

Reporting a vulnerability

Found a security issue? We take responsible disclosure seriously. Email security@payusher.io and we'll respond promptly. Please give us a reasonable window to fix issues before public disclosure.

Security FAQ

Can PayUsher move my money or issue refunds?
No. PayUsher requests read-only, scoped keys wherever your provider supports them, and it's never in the funds flow — your gateways still settle directly to your own bank. We add the unified view, not a middleman.
Where are my gateway API keys stored?
Encrypted at rest and isolated per workspace. Keys only ever travel over TLS and are never exposed in your browser. You can rotate or revoke them at any time.
Do you store card numbers or cardholder data?
No. PayUsher works with transaction metadata — amounts, statuses, timestamps — not raw card numbers or CVVs. Connecting us doesn't widen your PCI scope.
What happens when I disconnect a gateway?
Access ends immediately. Disconnect or rotate keys whenever you want — no email, no waiting period.
Who on my team can see our data?
Only the people you invite to your workspace, with role-based access so you control who can see and do what.
Do you have SOC 2 or PCI certification?
Not yet — formal certifications are on our roadmap. Today we follow the practices behind them: read-only scoped access, encryption at rest and in transit, least-privilege data handling, and no fund custody. If you have specific compliance requirements, talk to us.

Last reviewed · June 2026