Get @handle →
🔐 Trust & safety

Security at AfriLink Pay

Bank-level encryption and multi-layer fraud prevention protect every transaction. We take the safety of your money and data as seriously as your bank does — and then some.

How we protect you

🔒

256-bit AES encryption

All data in transit is protected by TLS 1.3 with HSTS preloading. Data at rest — including PII, account details, and transaction records — is encrypted using AES-256. Keys are rotated quarterly and stored in an isolated secrets vault separate from application servers.

📱

Two-factor authentication

Every account supports TOTP-based 2FA (RFC 6238 compliant) via Google Authenticator, Authy, or any standards-compliant authenticator app. SMS OTP is also available. For high-value transfers, 2FA is mandatory regardless of account settings.

👁️

Biometric authentication

On supported devices, transactions can be authorised using fingerprint or face recognition through the WebAuthn standard. Biometric data never leaves your device — we only receive a cryptographic proof of authentication.

🤖

AI fraud detection

Every transaction is scored by a multi-model risk engine using six AI providers (including LLM-based anomaly detection) plus a heuristic fallback. Signals include velocity, destination patterns, device fingerprint, and historical account behaviour. High-risk transfers are held for review before settlement.

🔑

API key security

Merchant API keys are generated with 32 bytes of cryptographic entropy and stored as salted hashes. Keys can be scoped to specific IP ranges, webhook endpoints, and permission levels. Compromised keys can be revoked instantly from the merchant dashboard.

🛡️

Rate limiting & replay prevention

All API endpoints enforce per-key and per-IP rate limits. Payment endpoints require an Idempotency-Key header to prevent duplicate charges. Replay attacks on webhook endpoints are blocked using timestamp validation and HMAC-SHA256 signatures.

Infrastructure security

🌐 Network isolation

Application servers, database servers, and payment provider clients run in isolated network segments. No direct database access from the public internet. All admin access requires VPN + MFA.

📋 Audit logging

Every administrative action, payment decision, and configuration change is written to an append-only audit log. Logs are tamper-evident via hash chaining and retained for 7 years.

🔄 Automated backups

Database backups are taken every 4 hours and replicated to a geographically separate location. Recovery time objective (RTO) is under 1 hour. Backups are themselves encrypted at rest.

🚧 DDoS protection

Traffic is routed through a CDN layer with automatic DDoS mitigation at layer 3, 4, and 7. Payment API endpoints have additional rate-limiting and request validation before reaching application logic.

🔏 Secret management

API keys, database credentials, and payment provider secrets are managed via a centralised secrets manager. Application environment never contains plaintext secrets — only encrypted references resolved at runtime.

🧪 Penetration testing

We conduct quarterly penetration tests via an independent third-party security firm. Findings are tracked to resolution within the timelines specified in our security policy. Critical findings block releases.

Certifications & Standards

💳

PCI-DSS Level 2

Assessment in progress

AfriLink Pay is undergoing PCI-DSS Level 2 assessment for card data processing. We do not store, transmit, or process raw card numbers on our servers — card data flows exclusively through PCI-certified provider endpoints. Full certification expected Q4 2026.

📜

ISO 27001

Audit scheduled Q3 2026

We have implemented an Information Security Management System (ISMS) aligned with ISO 27001:2022. Our formal certification audit is scheduled for Q3 2026 with a Big 4 auditor. ISMS scope covers all production systems handling customer data and payment flows.

🇳🇬

NDPR (Nigeria)

Compliant

We are compliant with Nigeria's Data Protection Regulation (NDPR) administered by the Nigeria Data Protection Commission (NDPC). We maintain a Data Protection Officer and conduct annual Data Protection Audits (DPAs) as required.

🇪🇺

GDPR (diaspora users)

Compliant

For users in the EU/UK diaspora sending money to Africa, we apply GDPR standards including the right to access, right to erasure, and data portability. Our privacy policy details the legal bases for all data processing activities.

Two-Factor Authentication (2FA)

Every AfriLink account supports TOTP-based 2FA compliant with RFC 6238 — the same standard used by Google, GitHub, and your bank. 2FA can be enabled in your account settings and takes under 60 seconds to set up.

📱 Authenticator App (TOTP)

Scan a QR code in Google Authenticator, Authy, 1Password, or any RFC 6238-compliant app. The app generates a new 6-digit code every 30 seconds — no internet connection required on your device.

  • Works offline — no SMS needed
  • Compatible with Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden
  • 30-second window with ±1 step drift tolerance (RFC 6238 §5.2)
  • Backup recovery codes provided at setup (store safely)

💬 SMS OTP

For users without a smartphone or authenticator app, SMS one-time passwords are available as a fallback. A 6-digit code is sent to your registered phone number and expires after 5 minutes.

  • Available in all 54 supported countries via Africa's Talking SMS gateway
  • One-time use — codes are invalidated immediately after first use
  • Rate-limited to prevent SMS bombing attacks
  • Note: TOTP is more secure — SMS is susceptible to SIM-swap attacks

🔴 Mandatory 2FA for high-value transfers

Regardless of your account's 2FA setting, transfers above your country's threshold require 2FA verification. This is enforced at the API level and cannot be bypassed by merchants or agents.

  • Threshold is set per-corridor based on regulatory guidance (CBN, BOG, CBK)
  • Admin and merchant dashboard logins can be configured to always require 2FA
  • Staff logins with compliance or operations roles auto-enforce 2FA

🔑 Recovery

At 2FA setup, you receive 10 single-use recovery codes. Each code can be used once to bypass 2FA and then is permanently invalidated. Store them in a password manager or secure document.

  • If you lose both your authenticator device and recovery codes, identity verification is required — contact security@afrilinkpay.com
  • Recovery codes are hashed with SHA-256 — AfriLink staff cannot read your codes
💡
Enable 2FA now: Log in → Account Settings → Security → Enable Two-Factor Authentication. Takes under 60 seconds and dramatically reduces account takeover risk.

Biometric Authentication (WebAuthn)

On supported devices, you can authorise transactions using fingerprint or face recognition via the WebAuthn (FIDO2) standard — the same technology used by Apple Pay, Google Pay, and Windows Hello.

🔐 How WebAuthn works

Your device generates a unique cryptographic key pair. The private key never leaves your device — it's stored in your device's secure enclave (Touch ID chip, Android StrongBox, or Windows TPM). AfriLink only stores your public key.

When you authorise a payment, your device signs a challenge with your private key. AfriLink verifies the signature with your public key — your biometric data is never transmitted.

📱 Supported devices

  • iOS 14+ — Face ID or Touch ID via Safari
  • Android 7+ — Fingerprint or face unlock via Chrome
  • Windows 10/11 — Windows Hello (face, fingerprint, or PIN)
  • macOS — Touch ID via Safari or Chrome
  • Any FIDO2-certified hardware security key (YubiKey, etc.)

Devices that don't support WebAuthn fall back to TOTP 2FA automatically.

🛡️ Privacy by design

  • Your fingerprint or face image never leaves your device
  • AfriLink receives only a cryptographic proof (ECDSA signature over a server challenge)
  • No biometric database exists on our servers — impossible to breach
  • Each registration is device-specific — compromising one device doesn't affect others
  • Biometric credentials can be revoked instantly from your security settings

⚡ User experience

Once registered, authorising a payment takes under 1 second — just a touch or glance. No code to type, no app to open. The friction of security disappears.

  • Register up to 5 devices per account
  • Works alongside TOTP as a second factor option
  • For transfers above threshold — biometric replaces TOTP (one tap vs. six digits)
  • Coming to the AfriLink merchant and agent portals in 2026
🔬
Technical spec: AfriLink implements the W3C WebAuthn Level 3 specification. Attestation is verified server-side. CBOR-encoded authenticator data is parsed per CTAP2 protocol. We support packed, fido-u2f, and none attestation formats.

Responsible Disclosure

We believe coordinated vulnerability disclosure makes everyone safer. If you've discovered a security vulnerability in AfriLink Pay, we ask that you report it to us privately before any public disclosure so we can fix it and protect our users.

📩 How to report

Email a detailed description of the vulnerability to security@afrilinkpay.com. Include:

  • Steps to reproduce the issue
  • Affected endpoint or component
  • Potential impact assessment
  • Any PoC code or screenshots (do not exploit further)

We'll acknowledge receipt within 24 hours and provide a triage assessment within 72 hours.

🤝 Our commitments

  • We will not pursue legal action against good-faith researchers
  • We will credit you in our security acknowledgements (unless you prefer anonymity)
  • We aim to fix Critical vulnerabilities within 14 days of confirmed triage
  • We will notify you when the fix is deployed
  • We offer recognition awards for high-severity findings — email us to discuss
Out of scope: Social engineering of AfriLink staff, physical attacks, denial-of-service, spam, and vulnerabilities in third-party dependencies we do not control. Please do not test against production accounts you do not own.
Report a vulnerability →