Most "payment integrations" are 80% done — and the missing 20% is what breaks Black-Friday. We wire up SA & international gateways with reconciled webhooks, 3DS 2.0 tested on real cards, refund flows verified, and an admin dashboard your finance team can actually use.
Wiring up a gateway looks deceptively simple — until a webhook is missed, a refund silently fails, or 3DS rejects half your shoppers. Here's where the cracks usually open.
Sandbox cards don't behave like real cards. They skip 3D Secure flows, ignore issuer-bank quirks, return rosy success responses, and never trigger the edge-case error codes a real FNB or Standard Bank card will throw at 11pm on Black Friday.
Gateways send a webhook to confirm payment. If your endpoint is slow, returns 500, or fails to verify the signature, the gateway gives up. Your order stays in "pending payment" forever even though the customer was charged.
Most integrations bolt on the happy-path purchase flow and leave refunds half-built. Partial refunds aren't supported, refund webhooks aren't reconciled, and your team ends up emailing the PSP for every R200 return.
If the card form sits on your domain and POSTs raw PAN through your app, you've just made yourself PCI-DSS in scope — and almost certainly out of compliance. The right answer is iframe / hosted fields / Shop Pay / redirect — but it's often skipped.
No gateway is best at everything. Most SA stores end up with 2–3 wired up: a primary card processor, an instant-EFT option, and an international card route. Here's our honest take on each.
Excellent for low-to-mid volume SA merchants. Best-in-class onboarding, clear fees (~2.95% inc. VAT), great support, simple API. Default choice for new SA stores.
Most-recognised SA gateway. Card + Instant EFT + Snapscan + Zapper + Mobicred + Masterpass — all in one redirect. Good for stores that need the widest payment-method coverage.
Stronger anti-fraud, sophisticated risk-rules engine, supports international cards better than most SA gateways. Choice for higher-volume stores with risk concerns.
Belongs in every SA checkout. Instant EFT for card-shy shoppers, ~1.5% fee, settles same-day. Pair with a card gateway — never use as the only option.
Enterprise SA gateway with deep PSP integrations, vault tokenisation, multi-currency, and stronger MoR options. Choice for high-volume, multi-store, or B2B-heavy merchants.
Use for international cards, Apple/Google Pay, and stores selling primarily into USD/EUR/GBP markets. Note: Stripe is now live in SA but onboarding still varies by sector.
Largely for inbound international shoppers — diaspora customers, eBay/Etsy crossover audiences, and US-based B2B buyers. SA settlement to FNB Forex account.
QR-code payments via the SnapScan app, popular for in-store POS but also embeddable in online checkout. Useful for low-value, mobile-first shoppers.
Alternative QR wallet to SnapScan, common with FNB customers. Often added together with SnapScan to give shoppers full QR-wallet choice.
Every Sitect gateway integration ships with the same 8 elements — none are "phase 2", none are optional. This is what makes an integration production-grade vs sandbox-grade.
Card data never touches your servers. Iframe / hosted fields / drop-in component on the gateway's domain — keeps you out of PCI scope.
We test on at least one card per major SA issuer — FNB, Standard, ABSA, Nedbank, Capitec, Discovery — to verify OTP flows actually complete.
Webhooks are signed, verified, and replay-safe. Duplicate webhooks don't double-credit; missed webhooks reconcile on the next poll.
Full and partial refunds wired into your admin. Refund webhooks reconciled. Status synced back to the order. Notification emails sent.
Your finance team gets a real dashboard — payments list, filters by date / gateway / status, refund button, export to CSV, deep-link to the gateway's record.
Automatic SARS-compliant tax invoice generated on payment confirmation — sequential numbers, all required fields, archived as PDF, emailed to customer.
Branded receipt email on success, failure email with retry link, refund-confirmation email — all using your templates. Optional WhatsApp + SMS.
Webhook failures, signature mismatches, and unusually-low success rates page your team via Slack / WhatsApp. You know within minutes, not next-day.
The cheapest way to handle payment security is to never touch the data in the first place. Every Sitect integration is engineered to keep your store in the easiest compliance bucket possible.
Hosted-field architecture keeps you in the lightest PCI scope. Annual self-assessment instead of an audit.
Strong Customer Authentication required for every transaction unless the gateway exempts it (low-value / trusted device).
HMAC signature verification on every incoming webhook. Unsigned or mismatched payloads logged + dropped.
Saved cards stored only as gateway tokens. No card details (even masked) live in your database.
Cardholder PII processing documented, retention policies, customer data-export and delete-flows on request.
Velocity rules, AVS/CVV checks enforced, BIN-blocking, geo + IP fraud scoring routed back to gateway risk engines.
HSTS preload, modern TLS only, mixed-content blocked, CSP locked down to the gateways you've enabled.
Every payment, refund, webhook, and admin action logged immutably. SARS / POPIA / dispute-friendly.
One fixed scope, no hidden phase-2 items, your team trained to handle 95% of payment-ops issues without us.
Live, tested gateway integration with hosted card capture, 3DS 2.0, webhooks, refunds, and order-status sync — all running in your production environment.
Filterable, sortable payments list with refund buttons, CSV export, deep-links to the gateway, and a daily summary email to your finance team.
Daily reconciliation job that compares gateway records vs your orders, flags discrepancies, and auto-resolves common cases. Slack alert on unreconciled rows.
Tax-invoice generator triggered on payment success, archived to S3, emailed to the customer, available in your admin and the gateway audit-log.
15-page payments runbook (testing checklists, refund procedure, dispute response, monthly recon) plus Loom tutorials walking your team through each.
Any payment-flow defect we introduce, we fix free for 30 days post go-live. We monitor your alerts during the window and respond inside 4 business hours.
Single-gateway integrations take a week. Multi-gateway with reconciliation takes two. Heavier B2B / split-payment / subscription work takes 3–4 weeks. Here's how it runs.
Gateway choice, fees, MoR setup, test cards collected, sandbox credentials issued.
Day 1Hosted card capture, 3DS flow, webhooks, refund flow built & tested in sandbox.
Days 2–5Payments dashboard, refund UI, reconciliation cron, SARS invoice generator.
Days 4–7Real-card tests on every major SA issuer, 3DS flows verified, refund verified.
Day 8Production go-live with you, alerting wired up, 30-day warranty + monitoring.
Days 9–10Indicative metrics from recent SA gateway rewires, measured 60 days after go-live. Bigger gains come on stores that previously had a half-built integration in place.
All prices assume you already have a store (Shopify, WooCommerce, custom Laravel/Node/etc) and an active merchant account with the gateway. 50% on signature, 50% on go-live.
Honest answers about gateways, fees, PCI scope, MoR, refunds, and what to do when something breaks.
Send us your current setup (gateway, platform, what's not working) and we'll come back with a 30-minute audit call, a recommended tier, and an indicative price — no obligation.