Payment security

epay-gateway is designed so that merchants never see your PIN or card details.

No card or PIN storage

Card data is entered on the Djomy-hosted portal (PCI-DSS compliant) and never transits through the merchant's server.
Mobile-money PINs are entered on your phone, not on the counter.

HTTPS everywhere

All traffic between your browser, the counter, and the payment provider is encrypted with TLS. If your browser shows a lock icon, you're on a real epay-gateway instance.

Signed notifications

When your payment succeeds, the counter notifies the merchant via a signed HTTP request. The merchant verifies an HMAC signature before trusting the notification — meaning a third party cannot forge a "paid" status for a transaction.

Checksum & CSRF protection

Every payment form includes a checksum that the counter verifies before contacting the provider. This blocks tampered or replayed requests.

What epay-gateway stores

Your phone number (for mobile money), hashed with the transaction
The amount, currency, and a provider reference
Your name/email if the merchant collects them at checkout

epay-gateway does not store your OTP, PIN, card number, or CVV.

No card or PIN storage​

HTTPS everywhere​

Signed notifications​

Checksum & CSRF protection​

What epay-gateway stores​

No card or PIN storage

HTTPS everywhere

Signed notifications

Checksum & CSRF protection

What epay-gateway stores