Bank-grade security, by design.

Scan & Pay processes payments entirely on Australia’s New Payments Platform (NPP) using PayID and PayTo. We do not accept, store, or transmit card numbers, card verification values, or card expiry dates. Because payment details never touch our infrastructure, our PCI DSS scope is minimised to the rails we don’t handle — a deliberate architectural choice that eliminates the largest category of fintech data risk from the outset.

Every transaction is authenticated inside the customer’s own banking app. When a buyer scans a QR code, the payment is initiated against their bank-held PayID alias or a PayTo mandate they previously approved. Confirmation is delivered to the merchant in real time via HMAC-signed webhooks on the NPP network. Settlement lands in the merchant’s bank account on the next business day (T+1), managed by our NPP-accredited partner Ezidebit Pty Ltd (AFSL 315388), a Global Payments company.

Our web properties are delivered over HTTPS with HSTS preload, and all data at rest is encrypted on secure cloud infrastructure. Authentication on consumer and merchant portals uses passkeys by default, with server-verified OTP as fallback. Access to production systems is limited to engineering leads and audited via tamper-evident cloud audit logs. To report a security issue, email hi@scanandpay.com.au with the subject line “Security disclosure” — we respond within 2 business days.