Buka

Payments & Security

How your money and data stay safe on Buka

Our approach

Buka uses an escrow-style flow: the buyer pays a secure provider, funds are released to the seller after delivery is confirmed. We never handle or store raw card data on our servers.

Buyer pays securely

Card data is captured by our payment partner and tokenised. Funds are held until the book is dispatched and delivered.

Escrow release

Once delivery is confirmed, Buka initiates a secure transfer to the seller’s bank account via a verified transfer recipient.

Clear audit trail

Every transaction has an auditable timeline: charge, escrow hold, shipment, delivery, release/settlement, and notifications.

How payments work

  1. Buyer checks out and pays using our PCI‑DSS compliant provider. Card details never touch Buka’s servers; a payment token is used instead.
  2. Payment provider creates/holds an authorisation or charge. Funds are kept in escrow until shipment and delivery are confirmed.
  3. After delivery confirmation (courier tracking or buyer confirmation), Buka requests a transfer to the seller’s verified recipient (bank account on file).
  4. Seller receives payout. Both parties get receipts and timeline updates in Notifications.

Security layers

PCI‑DSS & tokenisation

Card data is processed by the provider and tokenised. Buka stores no raw PAN/CVV.

Webhook verification

Payment webhooks are verified with HMAC (SHA‑512) signatures before events are accepted.

Encryption

TLS in transit; provider encryption at rest. Sensitive keys kept in server environment variables.

Supabase RLS

Row Level Security ensures users can access only their own data (profiles, orders, listings).

Fraud prevention

Device & velocity checks, verified recipients, and dispute handling protect buyers and sellers.

Privacy & compliance

POPIA‑aligned data minimisation. Only the minimum necessary personal data is stored.

Disputes & refunds

If something goes wrong, open a dispute from your Orders or Notifications. Buka works with the payment provider to hold funds while we review. When appropriate, refunds are issued back to the original payment method.

Frequently asked questions

When do sellers get paid?

After delivery is confirmed via tracking or buyer confirmation. Payouts are then initiated to the seller’s recipient.

Which payment provider do you use?

We integrate with a PCI‑compliant provider for ZAR payments and bank transfers to South African accounts.

Do you store my card details?

No. Card information is handled by the provider and exchanged as tokens.

How are webhooks secured?

All webhooks are verified using HMAC (SHA‑512) signatures before updating orders or balances.

Need help with a payment or payout?