skybyte
DRAFT — pending legal review. This page is published for transparency but has not yet been cleared by qualified Bulgarian / EU counsel. Provisions may change. Operator review status is tracked at /admin/legal-status. For binding clarification email contact@banxs.com.

Payment Disclosures

Last updated: 5 May 2026Effective from: 5 May 2026

1. Introduction & Scope

This Payment Disclosures page explains, in detail, how card and digital-wallet payments work when you purchase a Skybyte travel eSIM data plan or top-up. It is published to satisfy the transparency requirements imposed on internet merchants by the international card networks (Visa, Mastercard, American Express, Discover and JCB through their respective Core / Operations Rules), by Directive (EU) 2015/2366 on payment services in the internal market (PSD2) and the Bulgarian Payment Services and Payment Systems Act (ZPUPS) which transposes it, and by Directive 2011/83/EU on consumer rights as transposed by the Bulgarian Law for the Protection of Consumers (ZZP).

The page is written for three audiences at once: (i) consumers and business buyers who want to understand what is being charged, where the money goes, and what happens if something goes wrong; (ii) acquiring banks, card networks and payment service providers who periodically audit our merchant disclosures; and (iii) counsel, regulators and dispute-resolution bodies who may need a single authoritative reference. It complements but does not replace our Terms of Service, Refund Policy and Privacy Policy; where this page repeats material from those documents it is for convenience, and the linked source documents prevail in case of any conflict.

Throughout this page, "Skybyte", "we", "us" and "our" refer to Banxs Technologies EOOD, a Bulgarian limited liability company (eednolichno druzhestvo s ogranichena otgovornost), trading under the brand "Skybyte", with registered office at Blvd. Alexander Malinov 31, Sofia 1000, Bulgaria, Unified Identification Code (EIK) 206285017, registered for VAT under number BG206285017. "You" means the cardholder or wallet account holder placing an order, whether acting as a consumer or on behalf of a business. "Card" means any payment card (credit, debit, prepaid or commercial) issued under a recognised network scheme; "wallet" means a tokenized payment credential held inside Apple Pay, Google Pay or an equivalent Secure Element-based service.

Skybyte sells digital connectivity products only — eSIM data allowances and top-ups. We do not sell physical SIM cards, we do not sell hardware, we do not sell voice or SMS bundles separately from data, and we do not currently offer subscription, recurring or auto-renewing billing of any kind (see Section 13 below). Each order is a single, one-off card-not-present (CNP) e-commerce transaction completed entirely over the public internet.

2. Merchant Identity & Statement Descriptor

The merchant of record (MoR) for every Skybyte transaction is Banxs Technologies EOOD. This means Banxs Technologies EOOD — and not any upstream connectivity supplier, payment processor or platform — is the legal seller, the issuer of the VAT invoice, the controller of customer data for billing purposes and the entity contractually liable to you under EU consumer law. The full legal coordinates are:

  • Legal name: Banxs Technologies EOOD
  • Trading name (DBA): Skybyte
  • Registered office: Blvd. Alexander Malinov 31, Sofia 1000, Bulgaria
  • Companies Register entry (Trade Register & Register of NPLEs at the Bulgarian Registry Agency): EIK 206285017
  • VAT number: BG206285017 (registered in Bulgaria; OSS-registered for cross-border EU B2C supplies of telecommunications services)
  • Customer contact: contact@banxs.com

When you complete a purchase, the charge appears on your card or bank statement under the descriptor:

SKYBYTE BANXS BG

Issuers may abbreviate, truncate or recapitalise this descriptor depending on local conventions and the available descriptor length (typically 22 characters for Visa and Mastercard); common legitimate variations include "SKYBYTE BANXS BG", "SKYBYTE*BANXS", "SKYBYTE BANXS SOFIA" and "PAYNOVUS*SKYBYTE BANXS". A telephone contact (+359 customer service line) and the URL banxs.com may also appear depending on issuer rendering. If a charge appears on your statement that you do not recognise, please contact us at contact@banxs.com with the last four digits of the card and the exact descriptor before opening a chargeback — in the vast majority of cases we can identify the order, send a copy of the receipt and resolve the query within one business day, which is faster and cheaper for everyone than a formal scheme dispute.

We make commercially reasonable efforts to keep the descriptor stable. Any change to the descriptor is recorded in our internal merchant configuration log; if the change materially affects how easily a cardholder can recognise the charge we will update this page within thirty (30) days.

3. Payment Service Provider & Acquiring Bank

Skybyte does not connect directly to the card networks. All card and wallet transactions are routed through an authorised payment service provider (PSP) acting as our acquiring partner.

Our PSP is PayNovus (operated by the licensed payment institution that holds the corresponding acquiring authorisation in the European Economic Area; license reference [OPERATOR DECISION — insert PayNovus EU acquirer license number / FCA or BNB authorisation number once supplied by the PSP]). PayNovus is responsible for the technical card-acceptance environment, the tokenization of card credentials, the routing of authorisation messages to the issuing bank via the relevant network (VisaNet, Mastercard's Banknet, etc.), 3-D Secure 2 challenge orchestration, settlement of funds into our merchant account, and the day-to-day handling of disputes and retrieval requests.

PayNovus is a PCI DSS Level 1 service provider; its current Attestation of Compliance (AoC) is on file with us and is available on request to acquirers, networks or qualified counsel. The acquirer-of-record on the merchant agreement (the regulated credit institution that holds the merchant funds and settles into our IBAN) is [OPERATOR DECISION — insert acquiring bank name (e.g. "Banking Circle", "Worldline Acquiring NV") once confirmed by PayNovus onboarding].

Banxs Technologies EOOD itself is not a payment institution and does not provide regulated payment services within the meaning of the Bulgarian ZPUPS or PSD2. We are a merchant; we accept payment for our own goods and services and pay our own PSP for processing those payments. We do not hold funds for any third party, we do not provide payment-account services, we do not execute payment transactions on behalf of others, and we are therefore outside the supervisory perimeter of the Bulgarian National Bank as a payment service provider. We remain subject to general consumer-protection oversight by the Bulgarian Commission for Consumer Protection (Komisiya za zashtita na potrebitelite, KZP) and, in respect of any aspects that may fall within the perimeter of the Bulgarian Financial Supervision Commission (Komisiya za finansov nadzor, FSC), [OPERATOR DECISION — confirm scope of FSC oversight, if any, with Bulgarian counsel before publication].

4. Pre-Checkout Disclosures

Before you click the "Pay" button on the checkout page Skybyte surfaces, in a single human-readable block immediately above that button, the seven items of pre-contractual information required by Visa Core Rule 4.27 ("Disclosure of Transaction Information") and the equivalent transparency obligations of Mastercard Rule 5.11.2, Article 246 of the Bulgarian Law for the Protection of Consumers (ZZP) transposing Article 6(1) of the Consumer Rights Directive 2011/83/EU, and Article 19 of the EU Distance Selling Directive on the use of payment surcharges. The seven items are:

  1. Identity of the merchant: "Banxs Technologies EOOD trading as Skybyte" appears in the order summary header.
  2. Description of goods or services: the plan name, destination country / regional zone, data allowance in megabytes or gigabytes, validity period in days, and a plain- language reminder that the product is a digital eSIM data plan delivered electronically.
  3. Total price including all taxes: the price you will be charged is rendered in your selected presentment currency, with VAT broken out separately when applicable (see Section 5), and the total is the same number that appears on the Pay button itself.
  4. Currency of the transaction: the three-letter ISO 4217 currency code (EUR, USD, GBP) is shown next to the amount.
  5. Statement descriptor preview: a literal "Charge appears as: SKYBYTE BANXS BG" line is rendered above the Pay button, so you can recognise the charge later.
  6. Refund and cancellation rights: a one-line disclosure linking to the full Refund Policy, including the explicit statement that, by activating the eSIM before expiry of the 14-day cooling-off period under Article 16(m) of the Consumer Rights Directive, you waive your right of withdrawal in respect of that activated eSIM.
  7. Acceptance of terms: a mandatory checkbox confirming that you have read and accepted the Terms of Service, the Refund Policy and these Payment Disclosures. The Pay button remains disabled until this checkbox is ticked.

Additionally, where supported card networks include surcharging provisions that we elect not to use, Skybyte applies no checkout surcharge on any payment method; the price displayed at the top of the order summary is the price that is authorised on your card. We do not add booking fees, technology fees, processing fees or convenience fees of any kind. Where local law (notably Article 19(1) of the Bulgarian ZPUPS, transposing Article 62(4) of PSD2) prohibits surcharging on consumer cards, that prohibition is honoured unconditionally and globally, not only for EU-issued cards.

5. Currencies, Conversion & Pricing

Skybyte denominates its retail prices natively in three currencies: euro (EUR), United States dollar (USD) and pound sterling (GBP). The presentment currency you see at checkout defaults to a sensible value derived from your IP geolocation and browser locale, but can be changed manually using the currency switcher in the site header at any point before you click Pay. The chosen presentment currency is the currency that is sent to the card network in the authorisation request and the currency that ultimately appears on your statement.

Because each currency has its own native price (rather than a dynamically converted EUR figure), Skybyte does not perform dynamic currency conversion (DCC) within the meaning of Visa Core Rule 5.7.5 or Mastercard Rule 3.12. We do not offer DCC, we do not present "we'll bill you in your home currency" options at checkout, and the rate spread, fees and disclosures mandated for DCC merchants therefore do not apply. If your card's billing currency differs from the presentment currency you select (for example, you choose to pay in EUR with a card issued in USD), your card issuer — not Skybyte and not our PSP — will perform the foreign-exchange conversion at the rate and spread published in your cardholder agreement. Any FX margin retained by your issuer is outside our control and is not refundable through us; you should direct queries about FX spreads to your issuing bank.

Internal accounting is performed exclusively in EUR; the EUR equivalent of every transaction is recorded for VAT, settlement and reconciliation purposes. The retail price in non-EUR currencies is recalculated periodically against the European Central Bank reference rate plus a small operational buffer, to absorb intra-day FX volatility; price points are stable for the duration of any single checkout session and never increase between the time you load the checkout page and the time you submit payment.

VAT, where applicable, is calculated at the rate of the customer's place of consumption in accordance with Article 58 of Council Directive 2006/112/EC for B2C supplies of telecommunications services and is broken out as a separate line on the order summary, the receipt and the VAT invoice. Where you provide a valid EU VAT identification number that we successfully verify against the European Commission VIES system at checkout, the supply is treated as a B2B reverse- charge supply under Article 196 of the same Directive and VAT is removed; in that case the invoice carries the legend "Reverse charge — Article 196 of Directive 2006/112/EC".

6. Authorisation, Capture & Settlement

Skybyte uses an "authorise-and-capture" model. When you click Pay, our PSP submits an authorisation request to your issuing bank for the full transaction amount; if the issuer approves, the authorisation places a hold on the corresponding amount of your available credit or balance but does not yet move funds. Capture — the instruction that converts the authorisation into an actual debit — is submitted automatically and immediately upon the PSP returning a successful authorisation, because the eSIM is provisioned and delivered within seconds of payment and the order is therefore complete at the point of authorisation. In practice, the time between authorisation and capture is typically under one second; you will not see a long-running pending hold on your account.

If, for any reason, provisioning of the eSIM fails after capture (for example, because the upstream provisioning API of eSIM Go or Maya Mobile is temporarily unavailable, or because a unique ICCID could not be assigned within the SLA window), Skybyte does not retain the captured funds. The order is marked as failed, an automatic full refund is initiated to the original card within one (1) business day, and you are notified by e-mail. This procedure is described in greater detail in our Refund Policy §6 (Provisioning Failure).

Authorisation reversals (where an authorisation is voided before capture, releasing the hold) are submitted by our PSP within seconds in the small minority of cases where capture cannot proceed (for example, failed sanctions screening — see Section 15 below). The visibility of an authorisation reversal on your statement is controlled by your issuing bank; most modern issuers update real-time, but some may take 1–7 business days to release the hold. We have no ability to accelerate that release.

Settlement of net merchant proceeds (the captured amount minus the PSP's interchange-plus pricing and applicable scheme fees) to the Banxs Technologies EOOD merchant account occurs on the settlement schedule agreed with PayNovus, typically T+2 to T+5 calendar days. The exact settlement schedule does not affect you as a cardholder and is provided here only for completeness.

7. Apple Pay, Google Pay & Tokenized Wallets

Skybyte accepts Apple Pay and Google Pay alongside direct card entry. Both wallet methods rely on EMVCo network tokenization (Visa Token Service / Mastercard Digital Enablement Service), meaning that the funding card's primary account number (PAN) is replaced at provisioning time by a network-issued device-bound token. The token is presented to our PSP at checkout instead of the underlying PAN; Skybyte and PayNovus therefore never see the funding PAN when you pay with Apple Pay or Google Pay.

Wallet transactions are still subject to the same statement descriptor, the same authorisation-and-capture flow, the same VAT treatment, and the same refund mechanics described elsewhere on this page; the only material difference is that they are by default treated as 3-D Secure 2 frictionless authenticated transactions with full liability shift to the issuer (see Section 14 below), because biometric authentication on the device satisfies the SCA requirement under PSD2.

Skybyte does not store wallet tokens on its own infrastructure for re-use. Each wallet payment is one-off; if you wish to place a second order with the same wallet you must re-confirm the payment in the wallet sheet. We do not offer "save card for next time" functionality at this time. See Section 13 for our position on stored credentials and recurring billing.

8. Receipts, Invoices & VAT Documentation

Immediately upon successful payment, Skybyte issues two documents:

  1. An order confirmation receipt (HTML e-mail to the address you provided at checkout, plus a copy in the Account → Orders area) containing the order ID, the eSIM activation instructions, the merchant identity, the line-item description, the price breakdown including VAT, the total charged, the presentment currency and a link to your invoice.
  2. A VAT-compliant invoice (PDF) issued under a sequential invoice number reserved through thereserve_invoice_number database function and stored in the private invoices bucket. The invoice complies with the requirements of Article 226 of Council Directive 2006/112/EC (the Bulgarian transposition of which is found in Articles 113–115 of ZDDS): full merchant and (where supplied) customer details, sequential number, issue date, supply date, full description of services, taxable amount per VAT rate, applicable rate, total VAT amount and grand total. Where the customer is a verified EU business (reverse charge) the invoice carries the legend specified in Section 5.

You may at any time request an additional copy, a corrective credit note (where a refund has been issued) or a re-issuance to a corrected billing name or VAT number by writing to contact@banxs.com from the address used at checkout. Corrections are issued under Bulgarian ZDDS Article 116 procedures within 14 days of a well-formed request.

Invoices and underlying transactional records are retained for ten (10) years from the end of the calendar year in which the transaction took place, in line with the retention obligation imposed on VAT-registered persons by Article 38(1) of the Bulgarian Tax-Insurance Procedural Code (DOPK) and aligned with the equivalent obligation in Article 247 of the EU VAT Directive.

9. Refund Mechanics & Timing

Where a refund is owed under our Refund Policy, Skybyte issues the refund through the same payment channel used for the original transaction. For card payments this means a refund instruction is sent through PayNovus to the relevant card network and from there to your issuing bank, where it is credited back to the same card. We do not issue cash, bank transfer or alternative-instrument refunds on card transactions except where the original card has been closed or expired and the issuer has explicitly returned the refund as undeliverable; in that narrow scenario we will contact you to arrange an alternative settlement method.

Internal refund processing — the time between Skybyte (or our support team) approving the refund and PayNovus releasing the refund instruction to the network — is normally completed within one (1) business day, and never exceeds five (5) business days. Once released, the time taken for the refund to appear on your statement is governed by your issuing bank; typical issuer posting times range from instant (in jurisdictions with push-to-card refunds enabled) to up to ten (10) business days for legacy issuers in some markets. Skybyte has no control over this final issuer leg and cannot accelerate it.

Partial refunds (for example, where a Top-Up was unused at the time of the eligible refund event — see Refund Policy §7) are processed using the same channel and follow the same timing. The original authorisation reference is preserved across the refund chain so your issuer can match the credit to the original debit on your statement.

Refunds are made in the original transaction currency at the original transaction amount; Skybyte does not retain any portion of the original FX margin charged by your issuing bank (because we never received it), and FX differentials between the date of charge and the date of refund are not absorbed by Skybyte. See Refund Policy §11 for the full FX position.

10. Card Data Handling & PCI DSS Scope

Skybyte's PCI DSS scope is intentionally minimal. The Skybyte checkout page never receives, stores, processes or transmits full card primary account numbers (PANs), card verification values (CVV / CVV2 / CVC2 / CID) or sensitive authentication data on its own infrastructure. Card data entry is handled exclusively through PayNovus's hosted payment fields, which are loaded into the checkout page as cross-origin iframes served directly from PayNovus's PCI DSS Level 1-certified environment.

For this reason Skybyte qualifies as a Self-Assessment Questionnaire A (SAQ A) merchant under the PCI DSS v4.0 framework: a card-not-present e-commerce merchant that has fully outsourced all cardholder data functions to a PCI DSS validated third-party service provider, where the merchant's own website does not itself receive cardholder data, but does control the redirection or iframe loading of payment pages from the provider. Skybyte completes a current SAQ A annually and the most recent attestation date is [OPERATOR DECISION — insert date of most recent SAQ A attestation once first attestation completed; pre-launch status: not yet first-attested]. The completed SAQ A is available on request to qualified parties.

What Skybyte does store about a payment, in addition to standard order metadata, is limited to:

  • the PSP's transaction identifier (provider_transaction_id);
  • the PSP-issued payment intent ID (provider_intent_id);
  • the network authorisation code (paynovus_auth_code);
  • the PSP-issued non-reversible card token (paynovus_card_token), which is a reference handle that lets us issue refunds and answer disputes but cannot itself be used to make a fresh purchase, cannot be reverse-engineered into a PAN, and is bound to PayNovus's environment;
  • the 3-D Secure 2 outcome status (three_ds_status);
  • the customer-supplied billing email and country, and the IP address from which the order was placed (for fraud and tax-place-of-consumption purposes).

We never store, log or print the PAN, the CVV/CVC, the magnetic stripe data, the chip / EMV data, the PIN, or any other element of sensitive authentication data within the meaning of PCI DSS Requirement 3.2. Internal logs are scrubbed by the safeAuditMeta helper before being written to the audit log, which strips any field whose name matches a banned-keyword regular expression covering "card", "pan", "cvv", "cvc", "secret", "password" or "token", and truncates oversized string values.

All traffic between your browser, our origin and PayNovus is carried over TLS 1.2 or TLS 1.3 with modern cipher suites and HSTS preload. The Content-Security-Policy header delivered by Skybyte's origin restricts the origins permitted to load script and frame content; any change that would materially expand the trust surface (for example, adding a new payment iframe origin) is treated as a PCI-relevant change-management event.

11. Fraud Prevention & Velocity Controls

Skybyte deploys a layered fraud-prevention stack designed to minimise both fraud-loss to genuine cardholders and friction to legitimate buyers. Layers include:

  • 3-D Secure 2: every card transaction is submitted with full 3DS2 device and contextual data so that the issuer can either silently authenticate (frictionless flow) or step the customer up to a challenge (challenge flow). Successful 3DS2 produces a liability shift to the issuer for fraud-related chargebacks (see Section 14).
  • Address verification: billing country (used for VAT) is cross-checked against the IP geolocation of the transacting device; sustained mismatches feed into the risk score.
  • Velocity controls: a token-bucket rate limiter caps orders per IP, per email and per card token within rolling time windows, blocking obvious card-testing and BIN-attack patterns.
  • Device fingerprinting: a non-invasive device fingerprint (no fingerprinting cookie persisted to third parties) is computed at checkout and recorded against the order to detect cross-customer card abuse.
  • Issuer-side risk signals: we honour issuer decisions to decline, soft-decline (insufficient funds, do not honour) or step-up; we do not retry hard declines.
  • Manual review queue: orders that score above a defined risk threshold are routed to a manual review queue staffed by Skybyte support and held for up to 30 minutes before either capture or void; the customer is notified by e-mail and may contact us at any time during that window.

Fraud-prevention decisions, including any decision to refuse a transaction or to retain an authorisation hold pending review, do not reflect any judgement about the cardholder personally. They are taken by reference to the risk profile of the transaction in aggregate. If you believe a legitimate purchase has been declined or held in error, please contact contact@banxs.com and we will review promptly.

12. Disputes, Chargebacks & Reason Codes

A "chargeback" is a card-network-mediated dispute initiated by the cardholder via their issuing bank against a previously settled transaction. Cardholders have an unconditional right to raise chargebacks within the time windows specified by the relevant network rules (typically 120 days from the transaction date for Visa and Mastercard consumer disputes; shorter or longer in specific reason-code categories), and Skybyte never asks customers to waive that right.

That said, chargebacks are an expensive and slow mechanism for all parties — the cardholder, the issuer, the network, the acquirer and the merchant — and in nearly every case where a cardholder has a genuine grievance, an e-mail to contact@banxs.com with the order number will resolve the matter faster, with a refund where due. We commit to acknowledging refund or billing inquiries within one (1) business day and to providing a substantive response within five (5) business days, which is materially shorter than typical chargeback adjudication timelines.

When a chargeback is opened, Skybyte (through PayNovus) will either accept it (if the dispute appears well-founded, no defence is available, or the cost of defence exceeds the disputed amount) or defend it by submitting compelling evidence within the network-mandated representment window. The reason codes most relevant to a digital eSIM merchant such as Skybyte, and our typical defence posture for each, are summarised below for transparency. The same reason-code mapping is referenced in our Refund Policy §8 (Chargeback Procedure) to keep this and that document mutually consistent.

  • Visa 10.4 / Mastercard 4837 — fraud, card-absent environment: defended where 3DS2 produced a successful liability shift to the issuer; otherwise generally accepted.
  • Visa 13.1 / Mastercard 4853 — services not provided / merchandise not received: defended with the full activation audit trail showing successful eSIM provisioning, the recorded esim_activation_consent audit-log entry where the customer activated the eSIM, and the QR / manual install fields delivered to the customer's e-mail.
  • Visa 13.3 / Mastercard 4853 — not as described / defective merchandise: assessed case-by-case; where the eSIM functionally underperformed against published specifications a refund is issued under the statutory conformity rights described in Refund Policy §6 without the need for a chargeback.
  • Visa 13.6 / Mastercard 4860 — credit not processed: defended only if a refund was already issued or the original transaction was not refund-eligible under our policy; otherwise refunded immediately.
  • Visa 13.7 / Mastercard 4855 — cancelled merchandise / services: assessed against the activation status of the eSIM and the Article 16(m) consent record.
  • Visa 12.x / Mastercard 4834 — processing errors, duplicate processing: if substantiated, refunded without dispute; we apply idempotency keys at order creation precisely to prevent duplicate captures.

Chargebacks generate scheme-level fees and contribute to the merchant's chargeback ratio, which is monitored by the networks under their respective excessive-chargeback programmes (Visa Dispute Monitoring Program, Mastercard Excessive Chargeback Programme). Skybyte targets a chargeback ratio comfortably under the network thresholds and reviews each chargeback for product, process or messaging improvements.

13. Recurring & Subscription Billing

Skybyte does not currently offer recurring, subscription, auto-renewal or "stored credential" billing of any kind. Every Skybyte transaction is a discrete, customer-initiated, one-off purchase. There is no monthly subscription, no annual plan, no auto-top-up, no card-on-file feature, no free trial that converts to paid, and no situation in which Skybyte will charge your card without an interactive checkout session initiated by you in real time.

This means none of the recurring-transaction obligations imposed on merchants by Visa Core Rule 5.4 (Stored Credential Framework), Mastercard Rule 5.6 (Recurring Payments) or Article 4(20) of PSD2 (subsequent recurring transactions following an initial mandate) apply to Skybyte's current product offering. We do not, for example, send pre-billing notification emails, because there is no scheduled bill to notify about; we do not maintain a customer "card vault", because we do not store cards for reuse; and we do not reconcile a "merchant initiated transaction" (MIT) flag on authorisation messages.

Should Skybyte introduce a subscription or recurring product in the future (for example, a monthly multi-country roaming plan), this Section 13 will be updated to set out: the consent and mandate flow, the pre-billing notification schedule, the cancellation channels, the retry strategy on failed renewals, the SCA exemption framework, and the credential-on-file storage location. Until that update is made, the absolute statement at the top of this section stands.

14. Strong Customer Authentication (SCA / 3-D Secure 2)

Where the issuing bank, the card network or the local regulator requires Strong Customer Authentication under Article 97 of PSD2 and the related Regulatory Technical Standards (Commission Delegated Regulation (EU) 2018/389), Skybyte performs SCA via 3-D Secure 2 (3DS2). 3DS2 is the EMVCo successor to the original 3-D Secure protocol and is the only protocol Skybyte supports.

The 3DS2 flow has two outcomes:

  • Frictionless authentication: the issuer evaluates the rich device and contextual data submitted in the authentication request and decides that no further cardholder interaction is required. The transaction proceeds straight to authorisation. The SCA requirement is satisfied silently.
  • Challenge authentication: the issuer requires explicit cardholder action — typically a one-time password sent to your registered phone number, biometric confirmation in the issuer's mobile app, or an in-app push notification. Skybyte renders the issuer's challenge inside a modal on the checkout page; the challenge content is served by the issuer itself (Skybyte never sees your OTP, password or biometric). Once the issuer signals the challenge has been completed (success or failure), the modal closes and the transaction either proceeds to authorisation or is reported back as failed with reason 3ds_failed.

Where 3DS2 produces a fully authenticated transaction, the liability for fraudulent-use chargebacks shifts from Skybyte to the issuing bank under the network rules and Article 74 of PSD2. Where the cardholder or issuer is unable to complete the challenge — for example, because the registered phone number is out of range — Skybyte cannot complete the purchase. In that event the authorisation is voided and no charge is taken; you may retry with a different card or contact your issuer to update authentication settings.

Skybyte does not apply low-value (Article 16 RTS) or trusted- beneficiary (Article 13 RTS) exemptions to bypass SCA on consumer transactions; the small payment-friction reduction is not material to a typical eSIM purchase price and the marginal risk increase is not justified.

15. Sanctions Screening & Blocked Jurisdictions

Skybyte screens every transaction against the consolidated sanctions lists published by the European Union (Council Regulations issued under Article 215 TFEU), the United Nations Security Council, the United States Office of Foreign Assets Control (OFAC), the United Kingdom HM Treasury Office of Financial Sanctions Implementation (OFSI), and the Bulgarian national list maintained by the Ministry of Finance.

Screening is performed at three points: (i) on the customer email and IP address at order creation; (ii) on the billing country at the VAT-calculation step; and (iii) on the BIN country and the cardholder name as returned by the authorisation response. A transaction that produces a confirmed sanctions hit is automatically declined; any authorisation already obtained is voided, no charge is captured, and the transaction is logged for compliance review. Affected customers receive a generic decline message; we do not disclose sanctions-screening logic in real time so as not to facilitate evasion, but we will respond to well-formed legal inquiries through the channels described in Section 17.

A small number of countries are unconditionally not eligible to purchase Skybyte services, regardless of customer identity, because the eSIM provisioning ecosystem itself is restricted there or because export-control law prohibits us from transacting. The current excluded-country list is published and maintained on our Acceptable Use Policy.

16. Card Data Incident Notification

In the event of a confirmed compromise of cardholder data, Skybyte and PayNovus jointly follow the incident-response obligations of PCI DSS Requirement 12.10 and the personal-data breach notification obligations of Articles 33 and 34 of the GDPR (Regulation (EU) 2016/679). Specifically:

  • within 72 hours of becoming aware of a personal-data breach likely to result in a risk to the rights and freedoms of natural persons, Skybyte notifies the Bulgarian Commission for Personal Data Protection (CPDP) under Article 33(1) GDPR;
  • where the breach is likely to result in a high risk to those rights and freedoms, Skybyte communicates the breach to affected data subjects without undue delay under Article 34 GDPR, including the categories of data affected, the likely consequences, the measures taken or proposed, and the contact point for further information;
  • PayNovus notifies the relevant card networks under the Visa Account Information Security (AIS) and Mastercard Account Data Compromise (ADC) programmes;
  • forensic investigation is conducted by a PCI Forensic Investigator (PFI) approved by the relevant networks, evidence is preserved, and remediation is tracked through closure with the acquirer and networks.

Skybyte has not, at the date of this page, suffered any notifiable cardholder-data incident.

17. Complaints & Contact

Questions or complaints about any aspect of payment processing described in this page should be sent to contact@banxs.com with the subject line "Payment disclosures" and the order ID where applicable. We acknowledge such inquiries within one (1) business day and respond substantively within five (5) business days.

If you are not satisfied with our response, you may escalate to:

  • the Bulgarian Commission for Consumer Protection (KZP), 1 "Vrabcha" St., 1000 Sofia, Bulgaria, kzp.bg;
  • the European Commission's Online Dispute Resolution platform at ec.europa.eu/consumers/odr, available to consumers resident in the EU;
  • your card issuer, who may be able to raise a chargeback under the relevant network rules (Section 12);
  • the Bulgarian Commission for Personal Data Protection (CPDP), 2 "Prof. Tsvetan Lazarov" Blvd., 1592 Sofia, Bulgaria, for any complaint relating to the processing of your personal data in connection with payments.

This Payment Disclosures page is reviewed at least annually and on every material change to the merchant configuration, PSP relationship, descriptor, scheme rules or applicable law. The current version is dated at the top of the page.

Need a signed PDF copy? Email contact@banxs.com.