We built Qstar's app
Qstar App Facts
Client: Qstar — one of Sweden's largest fuel retailers, 325 stations, part of DCC plc
Delivery: UX, visual design, app architecture, iOS app, Android app
Project start: January 2024
Launch: 6 May 2026
Backend: CNS (shared DCC fuel platform)
Compliance: PCI DSS audit passed. ISO 27001 audt passed. WCAG pre-study. Ongoing accessibility testing. Swedish BankID login (IDP).
The app does the heavy lifting
Open the app. Refuel. Leave.
That's it. Everything complex — identity, payments, security, compliance — happens behind a single keep calm interface. The user never sees it. That was the job.
» Fueling at Qstar should be smooth, simple, and fast. «
— Ann-Sofi Karlsson,
Head of Business Development,
Qstar

As a Qstar club member, it cannot get easier. Onboarding in seconds. Identify with BankID, fuel up, and leave. Become a new member; identify with BankID, select Apple Pay or Google Pay and fuel up. The challenge: making it feel instant while the plumbing underneath stays secure.

The map is the app's natural starting point. Find the nearest station, see what's available, start fuelling. Behind the interface sits real-time station data, GPS verification, and a geofencing layer that authorises transactions only when you're physically present. A key view that ties the digital experience to the physical world.

Receipts retrieval as proof of a secure pipeline. A receipt appearing in the app is the visible tip of a deep stack: encrypted communication with the backend, PCI DSS-compliant payment processing, certificate pinning, app integrity attestation, and API contracts that leave no room for tampering. Every transaction is verified end-to-end before it reaches this screen.

Qstar's app is available on the App Store (iPhone & iPad) and Google Play (Android).
Qstar's App
VISIARC designed and developed Qstar's mobile app for iOS and Android, launched 6 May 2026. One team delivered the full scope: UX, visual design, architecture, and both apps. The project started in January 2024.
The starting position was favourable: a mature market where proven fuelling solutions had already been established. Qstar also has a clear market position and a long history. The challenge was delivering what Qstar stated outright — fuelling should be smooth, simple, and fast. The design process began by mapping every payment option and how each affected the transaction flow, searching for the minimum number of necessary interactions. Qstar club members paying by card in the app is the smoothest. One intraction more, Apple Pay and Google Pay are also very frictionless. Supporting credit card payments from customers who may have been regulars but always paid by Visa or Mastercard requires the most effort from the customer the first time, not least because of PCI DSS, the elevated security requirements that apply whenever card data is handled, even indirectly. A bonus: we were the first in Sweden to enable Google Pay for fuel payments.
At the pump: Speed you can feel (at rest)
Select a pump. Lift the handle. The pump starts. Fuel up. Receipt arrives. Every step feels instant.
Behind that speed: the app communicates with the backend, the backend authorises through the payment platform, the payment platform signals the terminal management system that controls the physical pump. Multiple authorisation steps, terminal handshakes, and state confirmations happen in sequence before fuel flows. The engineering challenge was not only making it work. It was making every step feel instant — fast enough that the user never notices they're waiting.
Payments: PCI Audit Passed
The app supports Qstar club loyalty payment cards, Visa, Mastercard, Apple Pay, and Google Pay. Authentication at the pump uses Face ID or Touch ID.
For the user it is seamless. For us it meant passing a PCI DSS and ISO 27001 audit, the international security standards for card data handling and cybersecurity. The audit covers architecture, code, and operational procedures. Not every app development team can show that credential.
Qstar's app was also the first fuel app in Sweden to launch with Google Pay.
GPS Verifcication
The app verifies via GPS that the user is at a Qstar station before authorising a transaction. A simple concept — but one that requires reliable implementation across weather conditions, devices, and edge cases without adding a single unnecessary step.
One team, Full delivery
VISIARC delivered the complete scope: UX analysis and flow design, visual design and brand application, system architecture, iOS app, and Android app. In parallel, with the same team throughout.
No handoffs between a UX agency, a design studio, and a development partner. One team, one shared understanding of what we were building, over 28 months.
« We were brought in from day one. That is rarer than you might expect, and it is the precondition for building a truly good app. Qstar gave us that trust and has been an outstanding client to work with, right through to launch. Clear priorities, decisive, and with a sharp picture of what they wanted to achieve. We are now looking ahead together. »
— Peter Lindgren,
CEO, VISIARC
The Partnerhsip
The project ran for over two years — and continues. That only works when both sides make decisions together, stand by them, and invest in the relationship beyond a single release.
We work alongside the CNS team — a sister company to Qstar within DCC — as best-of-breed partners in our respective domains. They own the backend platform; we own the app experience. Together, the stack is complete.
That said, the app trusts nothing. Certificate pinning, app integrity attestation, and response validation mean every answer from the backend is treated as potentially compromised until proven correct. That's not a lack of trust in our partners — it's how secure mobile apps are built. The architecture assumes breach at every boundary. The result: a system that stays secure even if any single layer is compromised.
What's next?
The app is live but the project continues. Further features, offers, and customer communication channels are planned. Qstar is running broad media campaigns during summer 2026.

Building a consumer app with secure payments on an existing platform?
We have done it. PCI DSS and ISO 27001 audit passed. One team from UX to the app stores. Get in touch.
