Compliance & Security
Security practices, PCI compliance, and data protection at Credo.
Credo is built with security at its core. We handle sensitive payment data so you don't have to, while maintaining the highest industry standards for security and compliance.
PCI DSS Compliance
Credo is PCI DSS Level 1 compliant - the highest level of certification in the payments industry. This means:
- All card data is handled on our secure, certified infrastructure
- You never touch or store sensitive card information
- Our systems undergo regular security audits and penetration testing
- We maintain strict access controls and encryption standards
What this means for you
By using Credo's hosted checkout or SDKs, you inherit our PCI compliance. You don't need your own PCI certification for standard integrations.
Data encryption
In transit
All data transmitted between your application, Credo, and our banking partners uses TLS 1.3 encryption. This ensures data cannot be intercepted or tampered with during transmission.
- API endpoints require HTTPS
- Webhook deliveries use TLS
- Dashboard access is SSL-only
At rest
Sensitive data stored in our systems is encrypted using AES-256 encryption:
- Card data is tokenized and encrypted
- API keys are hashed with bcrypt
- Transaction data is encrypted in our databases
API key security
Key types
| Key Type | Format | Usage | Storage |
|---|---|---|---|
| Public Key | 0PUB... / 1PUB... | Initialize payments | Client-side safe |
| Secret Key | 0SEC... / 1SEC... | Verify transactions | Server-side only |
Best practices
- Never commit keys to version control - use environment variables
- Rotate keys regularly - generate new keys every 90 days
- Use separate keys per environment - sandbox and production should never share keys
- Monitor key usage - review API logs for unusual activity
- Revoke compromised keys immediately - generate new keys and update your application
Security warning
Exposing your secret key in client-side code, mobile apps, or public repositories is a serious security risk. If compromised, revoke the key immediately and generate a new one.
Webhook security
Signature verification
Every webhook request includes a credo-signature header containing an HMAC-SHA512 hash of the request body, signed with your secret key:
credo-signature: <hex-encoded hash>Verify the signature using:
const crypto = require('crypto');
const verifyWebhook = (rawBody, signature, secretKey) => {
const expected = crypto
.createHmac('sha512', secretKey)
.update(rawBody)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
);
};Webhook best practices
- Always verify the
credo-signatureheader before processing any event - Use HTTPS endpoints only
- Handle all event types:
transaction.successful,transaction.failed,transaction.transaction.transfer.reverse,transaction.settlement.success - Implement idempotency to handle duplicate deliveries
- Respond with HTTP 200 immediately, process asynchronously
Fraud prevention
Credo employs multiple layers of fraud detection:
Real-time monitoring
- Velocity checks - Detect unusual transaction patterns
- Device fingerprinting - Identify suspicious devices
- Geolocation analysis - Flag transactions from high-risk locations
- Behavioral analytics - Spot unusual user behavior
Risk rules
Transactions may be flagged or declined based on:
| Risk factor | Action |
|---|---|
| Multiple failed attempts | Temporary block |
| Unusual location | Additional verification |
| High transaction amount | Manual review |
| Blacklisted card | Immediate decline |
Data privacy (GDPR & NDPR)
Credo is compliant with:
- GDPR - EU General Data Protection Regulation
- NDPR - Nigeria Data Protection Regulation
Your responsibilities
When integrating Credo, you must:
- Obtain consent - Clearly inform users you're collecting payment data
- Provide privacy policy - Explain how payment data is used
- Honor data requests - Allow users to access or delete their data
- Secure your systems - Maintain security on your end
Data retention
- Transaction records: Retained for 7 years (regulatory requirement)
- Card data: Never stored (tokenized immediately)
- Logs: Retained for 1 year
- Deleted accounts: Data anonymized after 30 days
Security certifications
| Certification | Status | Description |
|---|---|---|
| PCI DSS Level 1 | Certified | Payment Card Industry Data Security Standard |
| ISO 27001 | Certified | Information Security Management |
| SOC 2 Type II | Certified | Service Organization Controls |
Incident response
In the unlikely event of a security incident:
- Detection - Automated systems detect anomalies 24/7
- Containment - Affected systems isolated immediately
- Investigation - Security team assesses impact
- Notification - Affected customers notified within 72 hours
- Resolution - Systems restored and secured
Security checklist
Before going live, verify:
- API keys are stored in environment variables
- Secret keys are never in client-side code
- Webhook signatures are verified
- HTTPS is used for all endpoints
- Input validation is implemented
- Rate limiting is configured
- Error messages don't expose sensitive data
Reporting security issues
If you discover a security vulnerability:
- Email: security@credocentral.com
- Do not disclose publicly until fixed
- Include detailed steps to reproduce
- Allow 72 hours for initial response
We operate a responsible disclosure program and recognize security researchers who report valid issues.
Next steps
Was this page helpful?
Last updated on