Skip to main content


Reporting vulnerabilities

If you believe GOV.UK Pay security has been breached, contact us immediately at If you are a live user and the suspected breach is severe, consider using the urgent contact details provided to your service manager.

Please do not disclose the suspected breach publicly until it has been fixed.

Securing your developer keys

GOV.UK Pay allows you to create as many API keys as you want.

We recommend allowing all your developers experiment with their own test keys in the test environment, but keys for real integrations should only be shared with the minimum number of people necessary.

This is because these keys can be used to create and manipulate payments. Do not commit these keys to public source code repositories.

Follow these steps to revoke your API key immediately if you believe it has been accidentally shared or compromised:

  1. Sign in to the GOV.UK Pay admin tool.

  2. Select the correct accounts in the My services section.

  3. Select API keys.

  4. Revoke all compromised API keys.

Warning If you believe your key has been used to make fraudulent payments, contact the GOV.UK support team using the urgent contact methods provided to your service manager.

To further secure your live developer keys:

  • periodically rotate the keys that are used for live payments

  • you should consider rotating keys that are used for live payments after staff members leave that had access to those keys

  • avoid embedding your developer keys in any of your code - this only increases the risk that they will be discovered (instead store your keys inside your configuration files)

  • avoid storing your API keys in your application source tree (even when you’re not making your source code publicly available)

  • revoke your developer keys when they’re no longer required (this limits the number of entry points into your account)

  • have a leavers’ process, so that a developer’s API key is revoked when they leave

Securing your integration with GOV.UK Pay

Make sure you’ve fully tested your integration with GOV.UK Pay. When doing so, take care not to use any real card numbers. Read more about testing.

Securing your users’ information

GOV.UK Pay does not store full card numbers or CVV data for security reasons. This means you will not be able to search for transactions using card numbers. You can, however, search for the first six digits and the last four digits of a card.

Preventing fraudulent payments

If you think you’re receiving fraudulent payments, you can:

You can also set up your account to make risk management fraud checks if your PSP is Worldpay

If you make risk management fraud checks, you must contact us and ask us to send your user’s IP address to your PSP during each payment, or your payments may stop working.

Cloud security principles

GOV.UK Pay has implemented the Cloud Security Principles. Read the National Cyber Security Centre guidance on implementing the Cloud Security Principles for more information.

Payment Card Industry (PCI) compliance

Anyone involved with the processing, transmission, or storage of cardholder data must comply with the Payment Card Industry Data Security Standards (PCI DSS).

GOV.UK Pay is certified as fully compliant as a Level 1 Service Provider with PCI DSS version 3.2.1. All GOV.UK Pay partners must be compliant with PCI DSS, and must validate their compliance annually.

Use your Merchant ID to report PCI DSS compliance

A merchant ID is a unique number that identifies you to your payment processor and acquiring bank. The recommended approach is to report PCI DSS compliance by MID by:

  • agreeing with your acquiring bank to allocate an unique MID for each separate payment channel you have in place

  • reporting your PCI DSS compliance status for each of these unique MIDs to your acquiring bank

If you have one MID that encompasses multiple payment channels, the compliance requirements will be more complex for that MID. You should check the PCI DSS for more information.

Determine your PCI DSS compliance requirements

Your requirements depend on the number of transactions that you process as a merchant per scheme (Visa, MasterCard) per year.

For example, if you process 4 million transactions with Visa and 3 million with MasterCard, the “Fewer than 6 million transactions per year” category still applies despite the fact that the total number of transactions is larger than 6 million.

Confirm your merchant level with your acquiring bank.

Assessing your compliance requirements

Process fewer than 6 million transactions per year

If you process fewer than 6 million transactions per scheme per year, you may be able to self-assess by completing one of the PCI DSS Self-Assessment Questionnaires (SAQs). This is a self-assessment tool to assess security for cardholder data.

For most services using GOV.UK Pay, SAQ A should apply. If your service uses MOTO payments, you may need to choose a different SAQ.

To make sure you complete the appropriate SAQ, follow the decision tree on the final page of the PCI SAQ guidance.

You should be eligible to complete SAQ A if you fulfil all the eligibility criteria. You can read more about SAQ A eligibility criteria on the PCI Security Standards Council website. You can also read more detailed information on the eligibility criteria in the following table:

SAQ A eligibility criteria Notes
Your MID accepts only card-not-present (e-commerce or mail/telephone-order) transactions This applies where your MID is exclusive to transactions processed via GOV.UK Pay
All processing of cardholder data (CHD) by that MID is entirely outsourced to PCI DSS validated third-party service providers Both GOV.UK Pay and the PSPs it supports are PCI DSS compliant
The merchant does not electronically store, process, or transmit any CHD for that MID on your systems or premises, but relies entirely on a third party(s) to handle all these functions This applies where your MID is exclusive to transactions processed via GOV.UK Pay
The merchant has confirmed that all third party(s) handling storage, processing, and/or transmission of CHD for that MID are PCI DSS compliant GOV.UK Pay is PCI DSS certified; we can provide an Attestation of Compliance (AoC) on request
Any CHD the merchant retains is on paper (for example, printed reports or receipts), and these documents are not received electronically Chargebacks received from your bank would fall into this category
All elements of the payment page(s) delivered to the consumer’s browser originate only and directly from a PCI DSS validated third-party service provider(s) The payment page will be delivered to your user directly from a PCI DSS validated service provider, GOV.UK Pay

Process more than 6 million transactions per year

If you process more than 6 million transactions per scheme per year, you will need to undertake a formal on-site security assessment by a PCI DSS Qualified Security Assessor (QSA).

It may be possible to be assessed against only the SAQ A requirements but this should be discussed with your own PCI DSS compliance team and your acquiring bank.

More information on this can be found at the PCI Security Standards Council website.

Your service manager may also be asked to supply extra evidence on your internal security protocols, and you may have to undertake security awareness training to ensure you are qualified to handle credit card data.


GOV.UK Pay follows government HTTPS security guidelines. The Hypertext Transfer Protocol Secure (HTTPS), which involves the Transport Layer Security (TLS) protocol is used by the platform to authenticate servers / clients and to provide secure connections.

You must use HTTPS for all direct communication between your service and GOV.UK Pay.

Return URLs for live services using GOV.UK Pay must use HTTPS, but you can use HTTP for return URLs with test accounts.