PCI & Data Compliance

Raw card data — never transmitted to Absterco

Card numbers, CVV codes, and expiry dates are collected entirely within Mastercard's Hosted Session iframes — they never pass through Absterco's or the organisation's servers. This is a PCI DSS Level 1 requirement and cannot be changed.

Organisations must not attempt to capture raw card data via custom form fields and replay it to Absterco. Any such attempt will be detected and the integration suspended.

API keys — treat as secrets

API keys grant full access to an organisation's payment operations. They must never be exposed in client-side code, version control repositories, log files, or error messages.

Keys must be stored in environment variables or a secrets manager on the integration server only.

If a key is compromised, revoke it immediately via the Absterco dashboard and issue a new one. Absterco is not liable for charges resulting from leaked API keys.

Webhook endpoint security

Organisations that register a webhook URL must ensure the endpoint is HTTPS only. HTTP endpoints are rejected.

Webhook payloads are signed. The organisation's integration must verify the signature before processing any webhook event. Processing unsigned or unverified webhooks is a security risk and a breach of integration terms.