Last updated: June 2026
CheckoutPay is built so businesses and consumers can move money with confidence. This Security page describes our approach in plain language. It is not a penetration-test report, certification summary, or exhaustive technical specification.
Security is a shared responsibility. CheckoutPay implements controls appropriate to a payment platform operating in Nigeria; you are responsible for how you configure integrations, protect credentials, vet staff, and secure your own devices and customer relationships.
This page applies to the Services described on our website, including business dashboards, hosted checkout, APIs, plugins, and consumer wallet experiences where offered.
We align with widely recognised practices for cloud-hosted financial technology: defence in depth, least privilege, secure development lifecycle discipline, and periodic review as threats evolve.
We do not publish internal architecture diagrams, vendor lists, or detailed control matrices on this page.
Connections to CheckoutPay web properties and APIs are intended to use modern encrypted transport. You should access the Services only through official domains and distribution channels we publish.
Avoid using public or untrusted networks when performing sensitive actions unless you also use appropriate endpoint protection.
Business accounts rely on credentials and session controls you manage. Use strong, unique passwords; limit administrative access; remove departed staff promptly; and treat recovery codes and one-time passwords as highly confidential.
Where additional verification options are offered, we encourage you to enable them for accounts that can move money or change settlement settings.
Payment flows are designed to limit unnecessary exposure of sensitive data in browsers and merchant systems. Settlement and safeguarding of customer funds are handled in line with applicable Nigerian requirements through regulated partner arrangements described in our Privacy Policy (including the role of MetroOven Innovations within CBN and NDIC frameworks as relevant).
Merchants must protect API keys, webhook endpoints, and any payment references displayed to customers.
We maintain operational practices intended to support availability and integrity of the platform, including controlled deployments, backups where appropriate, and separation between production and non-production environments.
Details of hosting regions, tooling, and vendors are not disclosed here.
We use logging and monitoring to help detect anomalies, abuse, and potential security events. Retention periods and review processes are governed by internal policy and legal requirements.
You should monitor your own dashboards, webhooks, and bank statements for unexpected activity.
If we become aware of a security incident that materially affects the Services or your data, we will take steps consistent with applicable law and contractual obligations, which may include investigation, containment, notification, and remediation.
Timelines and methods of notice depend on the nature of the incident and regulatory guidance.
If you believe you have found a vulnerability affecting CheckoutPay, report it through the official support channel on this website with sufficient detail to reproduce the issue. Do not perform intrusive testing, social engineering against staff, or denial-of-service attacks without prior written authorisation.
Consumer wallet features may require PIN or OTP confirmation on secure pages. Never share your wallet PIN, OTP, or magic links with anyone claiming to be support. CheckoutPay will not ask you to approve silent debits without confirmation steps appropriate to the product.
The Services may rely on regulated partners, banking networks, messaging platforms, and infrastructure providers under contractual security expectations. Their roles are limited to what is necessary to deliver the product.
We plan for reasonable continuity of critical functions, recognising that no system is immune to outage. Maintenance windows or disruptions may occur; status information may be published where available.
Access to production systems and sensitive data by CheckoutPay personnel is intended to follow least-privilege principles and acceptable use rules, subject to confidentiality obligations.
We may update this page to reflect material improvements or clarifications. The “Last updated” date will change when we do.
See all FAQs including WordPress, API, and developer program topics.
We use HTTPS everywhere, secure credential storage for API keys, and access controls in the business dashboard. See https://check-outpay.com/support and our security page for practices and reporting channels.
Verification requirements depend on your business type and volume. The dashboard guides you through identity and business documents needed to unlock full features.
Use our fraud awareness resources and contact https://check-outpay.com/contact immediately with transaction references. Never move money based on unsolicited WhatsApp or email instructions.
Yes. Rotate or revoke keys from the business dashboard if exposed. Update your live integrations promptly after rotation.
CheckoutPay is bank-transfer-first for many flows. Sensitive operations use secure pages; merchants should not store full account passwords or PINs.
We operate under applicable Nigerian financial services and partnership arrangements required for our products. Specific licensing details are available on request for enterprise merchants.