Why cards still matter in an M-Pesa country
In Kenya it is tempting to think M-Pesa is enough. For a lot of local retail, it is. But cards reach people and money that M-Pesa struggles to: the diaspora paying for family services or property, corporate customers who settle by card, international buyers, and larger-ticket purchases above comfortable mobile-money limits.
For businesses selling to any of those, not accepting cards means quietly turning away revenue. The question is not M-Pesa versus cards - it is whether your customer base includes people who will only, or prefer to, pay by card.
PCI-DSS: the rule that scares people, explained
The moment you accept cards, PCI-DSS - the card industry's security standard - is in the picture. Its reputation for being heavy is earned, but only if you handle card data yourself.
The secret most businesses miss is that you can design your way out of most of it. If card details are entered into a hosted page or a secure field controlled by your payment provider, and go straight to them without ever touching your servers, your compliance obligation drops to the lightest self-assessment category. Build your own form that captures and transmits raw card numbers, and you inherit the full, audited, expensive version. The architecture you choose decides which world you live in.
3D Secure: authentication that shifts liability
3D Secure is the step where the cardholder proves it is really them - typically an OTP from their bank or an approval in a banking app - before the payment completes. It does two things for you. It cuts fraud, because a stolen card number alone is not enough to pay. And when it is used, it shifts liability for fraudulent chargebacks from your business to the card issuer.
That liability shift is the part owners underappreciate. Without 3D Secure, a fraudulent card payment that later gets disputed is your loss. With it, that risk largely moves off your books. In Kenya it is effectively expected on online card payments, so there is no good reason to disable it.
Tokenization: charging again without holding the card
If you ever want a customer to pay a second time without re-entering their card - a repeat purchase, a saved card, a subscription - you need tokenization.
Your provider stores the real card securely and hands you a token: a stand-in you can use to charge that card again, but which is worthless to a thief and carries no PCI weight. Your system stores tokens, never card numbers. This is what makes saved cards and recurring billing possible while keeping you out of scope. It is also a simple audit test: if any part of your system stores actual card numbers, something is wrong.
Chargebacks: the cost cards carry that M-Pesa doesn't
M-Pesa payments are effectively final. Cards are not - a cardholder can dispute a charge with their bank and have the money reversed, sometimes with a fee on top. This is the chargeback, and it is a genuine cost of accepting cards.
You cannot eliminate chargebacks, but you can keep them low and win the ones you should. Use 3D Secure. Describe charges on statements so customers recognise them and do not dispute out of confusion. Keep records - what was bought, when, delivery or usage evidence. And respond to disputes quickly with that evidence. A business that ignores chargebacks bleeds money and risks penalties; one that manages them treats them as a manageable line item.
The design that keeps card acceptance light
Pulling it together, the safe pattern is consistent: let your provider handle the sensitive parts, and keep your own systems clear of card data.
Use a hosted checkout or tokenized fields so raw card numbers never reach your servers. Keep 3D Secure on. Store tokens, not cards, for anything recurring. Reconcile card settlements - which arrive net of fees and on a delay - against your orders, and have a defined chargeback process. Done this way, cards become a manageable channel rather than a compliance and fraud liability. Done the naive way - your own form, raw card storage, no 3D Secure - they become the biggest risk on your platform.
How Upeosoft builds card acceptance
We implement card payments the light way: hosted or tokenized checkout so card data never touches your servers, 3D Secure enabled, tokenization for saved and recurring charges, and settlement reconciliation that accounts for fees and timing. We keep you in the simplest PCI category by design and set up a clear process for handling chargebacks.
Whether you are adding cards alongside M-Pesa or building a checkout from scratch, talk to Upeosoft and we will make card acceptance secure, compliant and low-maintenance.
