How do I integrate STC Pay hosted checkout in Saudi Arabia?

STC Pay hosted checkout requires a SAMA-licensed merchant account and supports both redirect-based and embedded-iframe flows. End-to-end integration takes 1–3 weeks depending on whether you go direct (you hold the licence) or via a licensed aggregator (HyperPay, PayTabs, Moyasar, Checkout.com SA). The flow is: create payment intent → redirect customer to STC Pay's hosted page → receive webhook callback with the verified result → write idempotent ledger entry keyed to your own order ID.

What's the difference between Mada and STC Pay?

Mada is Saudi Arabia's national debit-card network — every Saudi-issued bank card runs on it and Mada is mandatory for in-Kingdom card transactions. STC Pay is a SAMA-licensed digital wallet with 10M+ users that lets customers pay from a stored balance or linked card without re-entering card details. You should support both: Mada for full coverage, STC Pay for mobile-first conversion lift on returning customers.

Do I need a SAMA licence to accept Saudi payments?

Yes for direct integration with Mada, STC Pay, or local banks — you'd register as a Payment Service Provider under SAMA's framework. No if you integrate via a SAMA-licensed aggregator (HyperPay, Moyasar, PayTabs, Checkout.com SA) — the aggregator's licence covers your settlement and your PCI scope drops to SAQ A. For most merchants the aggregator route is the correct trade-off.

How long does Mada integration take in 2026?

Direct Mada integration (your own SAMA PSP registration plus 3-D Secure 2.0 implementation) is 3–6 weeks of engineering plus 4–8 weeks of compliance and certification. Via an aggregator it's 1–2 weeks total — you import the SDK, register the webhook, run sandbox tests, and you're live. The 3-D Secure 2.0 step is the same in both routes; SAMA's 2024 ruling makes it mandatory online.

Which payment aggregator is best for Saudi e-commerce in 2026?

Moyasar for clean APIs, well-documented SDKs and startups/SaaS. HyperPay for enterprise volume and full payment-method coverage in one contract. PayTabs if you need built-in fraud screening or you're cross-border within MENA. Checkout.com SA if you already run Checkout.com elsewhere and want a single global platform. There is no single right answer — pick on engineering ergonomics first, fees second.

How does Apple Pay integration work for Saudi merchants?

Apple Pay tokenises the underlying card (Mada, Visa, Mastercard) so the merchant never sees the PAN. You need a Saudi Apple Developer account, a merchant ID, a payment processing certificate, and domain verification for every domain that accepts Apple Pay. Most Saudi gateways (HyperPay, Moyasar, Checkout.com SA) expose Apple Pay as a one-line opt-in on their hosted checkout — they handle the certificate exchange and present the Apple Pay sheet on supported devices.

What is Tabby's integration model — direct or via gateway?

Tabby integrates directly: you sign up as a Tabby merchant, get API credentials, and call Tabby's checkout API to create a split-in-4 or pay-in-30 session for each cart. Tabby holds the BNPL licence so you do not need a SAMA permit. Settlement is T+3 to your bank. Aggregators (HyperPay etc.) can also offer Tabby as a tile on their hosted checkout — convenient if you want one webhook contract across all methods.

Are there ZATCA implications for payment gateway integration?

Yes — payment success must trigger a ZATCA Phase 2 cleared tax invoice. For B2B sales the invoice must be cleared through Fatoora *before* it's shared with the buyer; for B2C the simplified tax receipt must be reported within 24 hours. The cleanest architecture is to fire your ZATCA invoice generator from the payment-success webhook, store the clearance UUID alongside the order, and surface the QR code on the receipt the customer sees. ZATCA non-compliance penalties scale with revenue, so do not treat this as optional.

Mada, STC Pay, Apple Pay & Tabby Integration in Saudi Arabia — 2026 Developer Guide

Saudi Arabia's three must-support payment methods in 2026 are Mada (national debit, ~65% of in-Kingdom transactions), STC Pay (digital wallet, ~22% share, 10M+ users), and Apple Pay (growing fastest among iPhone users). Tabby and Tamara are essential for BNPL.

You have two integration paths:

1.Direct integration with each provider's API — lowest per-transaction fees, ~6 weeks of dev, and you carry SAMA Payment Service Provider obligations yourself.
2.Via a SAMA-licensed aggregator (HyperPay, PayTabs, Moyasar, Checkout.com SA) — 1–2 weeks of dev, slightly higher fees, and the aggregator's licence covers you.

STC Pay hosted checkout requires a SAMA-licensed merchant account and supports both redirect and embedded-iframe flows. Mada has required 3-D Secure 2.0 on every online transaction since SAMA's 2024 ruling. Apple Pay needs a Saudi Apple Developer account plus merchant verification on each domain that accepts it.

Below: a side-by-side gateway comparison, integration architecture we recommend, the SAMA / ZATCA / PCI rules you cannot skip, and an FAQ covering the questions Saudi developers actually search for.

The Saudi payment landscape in 2026

Mada: Saudi Arabia's national debit network, mandatory for all Saudi-issued cards. Over 30 million cards in circulation. Routed through SPAN; 3-D Secure 2.0 mandatory online.
STC Pay: Digital wallet with 10M+ users, instant P2P transfers and merchant payments. SAMA-licensed under the EMI framework.
Apple Pay: Widely adopted among iPhone users (~48% smartphone market share in KSA). Tokenises Mada and international cards.
Tabby: Regional BNPL leader, split-in-4 and pay-in-30 options. Settlement T+3.
Tamara: Saudi BNPL provider with strong Saudi merchant adoption, similar settlement terms.
International cards: Visa, Mastercard, Amex — increasingly used for online transactions; rarely the *only* method you'd offer.

Mada vs STC Pay vs Apple Pay vs Tabby — at a glance

Method	Type	Typical fee	Dev effort	SAMA licence needed	Settlement	Best for
Mada	Debit	0.5–1.0%	3–6 weeks direct	Yes (or via aggregator)	T+1	Everyone — required for in-Kingdom merchants
STC Pay	Wallet	1.0–1.5%	1–3 weeks	Yes (or via aggregator)	T+1	Mobile-first, lower AOV, returning customers
Apple Pay	Wallet (tokenised cards)	Same as underlying card	1–2 weeks	No extra	Same as underlying	iOS / Safari traffic, conversion lift
Tabby	BNPL split-in-4	5–7% on merchant	1–2 weeks	No (Tabby is licensed)	T+3	Fashion, electronics, AOV > SAR 200
Tamara	BNPL pay-later	5–7% on merchant	1–2 weeks	No (Tamara is licensed)	T+3	Same as Tabby; pair both for choice

Payment gateway options

HyperPay The largest payment aggregator in Saudi Arabia. Supports Mada, Visa, Mastercard, STC Pay, Apple Pay, Tabby and Tamara through one integration. Hosted checkout or REST API. Strong for enterprise volumes.

Moyasar Saudi-built gateway with the cleanest developer documentation in the market. Strong Mada integration, competitive fees, well-maintained client SDKs (PHP, Ruby, Node, Python). Good fit for SaaS and startups.

PayTabs Regional gateway covering KSA, UAE, Egypt, Oman. Built-in fraud screening (PayTabs Shield). Multi-currency.

Checkout.com Saudi Global gateway with a SAMA licence covering Saudi merchants. Best when you already use Checkout.com in another market and want one platform across MENA.

Integration architecture

We recommend a payment abstraction layer between your application and the gateway. The layer should:

Normalise the API interface across Mada, STC Pay, card, Apple Pay, and BNPL flows.
Verify webhooks (HMAC signature + replay window) and enforce idempotency on charge / refund.
Manage retry logic for transient gateway errors (network 5xx, lock contention).
Maintain a unified transaction log keyed by your own `order_id` for reconciliation against the gateway statement.
Simplify gateway migration — switching from HyperPay to Moyasar should be a config change, not a refactor.

SAMA, PCI and ZATCA — the rules you cannot skip

Payment processing in Saudi Arabia requires:

SAMA Payment Service Provider compliance — directly licensed, or covered by a licensed aggregator.
PCI DSS Level 1 for direct card data handling (most merchants outsource this to the gateway and stay at SAQ A).
3-D Secure 2.0 on every Mada online transaction.
ZATCA e-invoicing (Phase 2) integration — every B2B invoice and every B2C tax receipt must be cleared through the Fatoora platform.
VAT at 15% calculated and itemised on the receipt.
Anti-money laundering transaction monitoring and reporting.
Data residency — payment metadata for Saudi transactions stays in Kingdom or in an approved jurisdiction.

How Mantiqi can help

Mantiqi has built payment integrations for Saudi merchants handling high-volume transactions — from a SAR-only e-commerce checkout to multi-currency SaaS billing with ZATCA tax receipts. From gateway selection to PCI scope reduction to SAMA filings, we handle the technical implementation so you can focus on growing your business. Get in touch via the contact page to scope your integration.

Mada, STC Pay, Apple Pay & Tabby Integration in Saudi Arabia — 2026 Developer Guide

The Saudi payment landscape in 2026

Mada vs STC Pay vs Apple Pay vs Tabby — at a glance

Payment gateway options

HyperPay The largest payment aggregator in Saudi Arabia. Supports Mada, Visa, Mastercard, STC Pay, Apple Pay, Tabby and Tamara through one integration. Hosted checkout or REST API. Strong for enterprise volumes.

Moyasar Saudi-built gateway with the cleanest developer documentation in the market. Strong Mada integration, competitive fees, well-maintained client SDKs (PHP, Ruby, Node, Python). Good fit for SaaS and startups.

PayTabs Regional gateway covering KSA, UAE, Egypt, Oman. Built-in fraud screening (PayTabs Shield). Multi-currency.

Checkout.com Saudi Global gateway with a SAMA licence covering Saudi merchants. Best when you already use Checkout.com in another market and want one platform across MENA.

Integration architecture

SAMA, PCI and ZATCA — the rules you cannot skip

How Mantiqi can help

Frequently asked questions

Still have questions?

More Articles

Why Multi-Region Cloud Deployment Matters After the 2026 UAE Data Center Incidents

ZATCA Phase 2 E-Invoicing: Complete Implementation Guide for Saudi Businesses in 2026

Jeddah, Saudi Arabia