Security

A Secure Payment Gateway for Zimbabwe

Finivex is built with security at its core — hosted card checkout, encryption in transit and signed webhooks — so you can accept EcoCash, OneMoney, Visa and Mastercard with confidence.

How we keep payments safe

Security is built into every layer of the platform.

🛡

PCI-aligned card handling

Card payments run through a hosted checkout, so full card numbers never touch your website or servers — dramatically reducing your PCI DSS scope.

🔒

Encryption in transit

All API traffic and checkout sessions are served over TLS, and API access is authenticated with per-merchant keys and secrets.

🏦

Trusted local rails

Settlement runs through established Zimbabwean banks and payment networks, and mobile-money flows use the wallet providers' official integrations.

👤

Verified onboarding

Every merchant is verified during onboarding, helping keep fraudulent actors off the platform and protecting the network.

Signed webhooks

Payment notifications are signed so your systems can verify that status updates genuinely came from Finivex.

$

Multi-currency controls

USD and ZWG balances are tracked separately, with a transparent settlement dashboard and audit trail.

Card data & PCI DSS

The single most effective way to protect cardholder data is to never handle it directly. Finivex captures Visa and Mastercard details on a hosted checkout page, so sensitive card data does not pass through — or get stored on — your website or store back-end. This keeps your business in the lowest-effort PCI DSS category while still accepting cards.

Data protection

Transaction and account data is encrypted in transit, access is scoped by per-merchant API credentials, and personal data is handled in line with our Privacy Policy. You can rotate your API keys at any time from the merchant portal.

Secure API access

Every API request is authenticated with your key and secret, allowed origins can be restricted for browser-based checkout, and webhook notifications are signed so your integration can confirm their authenticity. Full details are in the integration guide.

Security FAQ

Do I need to be PCI DSS certified to accept cards?

Because Finivex uses a hosted checkout, full card details never reach your servers — which keeps your business in the simplest PCI DSS category. You should still confirm your own obligations with your acquirer.

How is my payment data protected?

Data is encrypted in transit over TLS, API access is authenticated with per-merchant keys, and webhooks are signed so you can verify their origin.

Can I restrict where my API keys work?

Yes. You can set allowed origins for browser checkout and rotate your API keys at any time from the merchant portal.

How do you prevent fraud?

Merchants are verified during onboarding, card data is handled on a hosted page, and signed webhooks let your systems confirm every payment notification is genuine.

Build on a payment gateway you can trust

Secure, multi-currency payments for Zimbabwe — with security built in from the ground up.