As a trusted payment service provider, Mangopay’s security practices are constantly evolving in line with the rigorous standards of the payments technology industry.

This guide aims to centralize security information and resources to empower both platform operators and their end users to maintain the highest level of security in every interaction with Mangopay’s services. We are committed to providing clear guidelines, actionable steps, and comprehensive resources to foster a safe and robust financial ecosystem.

1. Security appendix

Our contractual security appendix (available on our website) outlines the key security measures we expect our third party providers to implement. This document serves as a cornerstone of our security partnership and is periodically updated to reflect evolving risks and compliance requirements. Regular review is essential to ensure alignment with our expectations and industry standards. By adhering to these guidelines, platforms can strengthen their defenses and enhance operational integrity.

Key sections of the appendix

  • Obligations applicable to all service providers – Baseline security and compliance measures that all third-party service providers must follow.
  • Specific obligations for service providers supporting payment services –Detailed guidelines for providers directly involved in payment services.
  • Specific obligations for service providers operating on their information systems – Requirements for third-party providers managing their own infrastructure and hosting Mangopay’s Data.
  • Specific obligations for service providers operating on Mangopay’s information systems – Detailed obligations for those integrating directly with our systems, focusing on secure API usage, access controls, and compliance with Mangopay’s internal security policies.

You can find the latest version of our Security Contract Appendix here on our website. We recommend bookmarking the link for easy access and periodic review to stay ahead of potential risks and compliance obligations.

Benefits of periodic review

Periodically reviewing the latest version of Mangopay’s Security Appendix helps ensure:

  • Improved resilience against emerging threats and attack vectors.
  • Assurance of compliance with relevant legal and regulatory frameworks.
  • Enhanced reputation as a secure and reliable service provider.

2. Integration guidance

Secure integration is crucial to safeguarding your platform and your end users. Below, we outline how to properly integrate with our systems to maintain the integrity of your operations and ensure a secure exchange of data and funds.

2.a. TLS and HTTPS

  • Always use TLS 1.2 for all API calls to ensure encrypted data exchange. TLS certificates should be regularly renewed and monitored for expiration to avoid disruptions.
  • Ensure your endpoints use HTTPS to protect communication and prevent man-in-the-middle attacks. Avoid using self-signed certificates in production environments.

2.b. Infrastructure best practices

  • Only integrate with endpoints explicitly provided in our documentation to ensure data integrity and security. Unauthorized or unused endpoints should be promptly disabled.
  • Regularly validate API keys, access tokens, and refresh credentials to minimize risks associated with compromised keys. Limit the scope and lifespan of API keys to reduce exposure. Read more about managing API accounts.
  • Implement logging and monitoring for all integration points to detect and mitigate potential issues promptly. Use centralized logging solutions for efficient incident management.

2.c. PCI compliance requirements

The Payment Card Industry Data Security Standards (PCI DSS) are a set of industry standards that ensure that payment service providers (PSPs) like Mangopay handle sensitive card data in a secure manner.

As a PSP, Mangopay holds full PCI DSS Level 1 certification, requiring annual external assessment of our security measures such as robust encryption, segmentation, and logging practices.

As a merchant, your platform is responsible for your own PCI DSS compliance, for example by completing the relevant Self-Assessment Questionnaire (SAQ).

In the vast majority of cases, this means completing SAQ A-EP, which covers integrations using card tokenization or hosted redirects. The latest SAQ A-EP document is available from the PCI documents library.

In exceptional cases, if your platform is handling or storing card data directly, you may need to comply with PCI SAQ D or get certified by an accredited PCI Qualified Security Assessor (QSA).

3. End-user security best practices

Although end users interact with your platform to access Mangopay’s services and wallets, we recommend sharing the following guidelines to help them secure their funds and data effectively. Empowering end users with knowledge is a shared responsibility that benefits the entire ecosystem.

Protecting accounts

  • Create strong, unique passwords for each platform, incorporating uppercase and lowercase letters, numbers, and special characters.
  • Enable multi-factor authentication (MFA) wherever available to add an additional layer of security. Encourage the use of one-time passwords (OTP) for enhanced protection.
  • Avoid using public Wi-Fi networks when accessing financial platforms to reduce exposure to potential attackers.

Avoiding scams

  • Mangopay will never ask you for your API key or Dashboard account password.
  • Never share login credentials or sensitive information with others, even if requested by someone claiming to represent a trusted party. Always verify communication channels before sharing details.
  • Be cautious of unsolicited emails or messages. Always verify the sender before clicking on links or downloading attachments. Report phishing attempts promptly to the platform.

Monitoring activity

  • Regularly review account activity to identify any unauthorized transactions or unusual patterns. Automated alerts for suspicious activity can provide added protection.
  • Immediately report suspicious or unauthorized transactions to the Support team of the platform where the payment was made. Users should be provided with clear instructions on how to report issues.

4. Security incident reporting and collaboration

Mangopay’s Security team is dedicated to ensuring the safety and compliance of our services. We provide support for compliance inquiries, assist in addressing suspicious activities, and work proactively to enhance the security of our systems.

Mangopay publishes the real-time status of all technical services on its status page, which is accessible via the Dashboard.

Reporting security incidents

If you suspect a security breach or identify suspicious activities, it is critical to report it immediately. Timely communication helps us address potential threats and minimize risks effectively.

How to report a security incident

Send an email to security@mangopay.com.

Information to include
  • A detailed description of the incident, including the time and date it occurred.
  • Systems or services affected, along with any preliminary findings from your team.
  • Steps already taken to mitigate the issue, including isolating affected systems.
  • Any relevant logs, screenshots, or other supporting materials that can assist in our investigation.

Security team collaboration

Our security team also ensures continuous improvement of our platform by:

  • Collaborating with platforms to address compliance issues and enhance best practices.
  • Investigating incidents thoroughly to prevent recurrence.
  • Providing recommendations and support for strengthening your platform’s security.
  • Supporting audits and compliance checks to maintain regulatory alignment.

Post-incident support

  • Comprehensive incident analysis and reporting.
  • Recommendations for long-term mitigation strategies.
  • Assistance with legal or regulatory reporting, ensuring you meet compliance requirements effectively.

Our team handles all reports and investigations with urgency and confidentiality, ensuring a swift resolution to all issues.

5. Our security program

Our robust security program is built on a strong foundation of compliance, regulatory adherence, and proactive risk management. Aligned with leading industry standards and frameworks, we continuously work to mitigate IT Security risks and uphold the trust of our partners and their users.

Key features of our security program

  • PCI DSS compliance – Our systems and processes are fully compliant with PCI DSS standards, ensuring the highest level of security for payment data. We are certified for PCI Payment Gateway Services and Vault Services, operating as a Service Provider Level 1.
  • Regulatory frameworks – We adhere to stringent IT and Security risk management regulations established by our supervisory authorities. These frameworks guide our approach to mitigating operational and cyber risks while ensuring resilience in our operations.
  • Proactive risk management – Our dedicated teams conduct regular risk assessments, vulnerability scans, and penetration tests to identify and mitigate threats before they impact operations.
  • Operational resilience – Central to our security program is the principle of resilience, ensuring that our systems and processes can withstand, recover from, and adapt to adverse events, maintaining continuity and trust.
  • Continuous improvement – Leveraging audit feedback, partner collaboration, and threat intelligence, we continuously evolve our security practices to address emerging risks.