Hyp Website

Compliance & Security Overview

We've built Hyp with security and compliance as foundational principles. As a PCI DSS Level 1 service provider, we help merchants reduce their compliance burden while ensuring robust protection of cardholder data.

Our security approach is designed to give you confidence in your payment processing while simplifying your compliance requirements. We maintain the highest industry certifications and follow best practices so you can focus on your business while we handle the complex security requirements.

PCI DSS Level 1 certification

We're audited annually by a Qualified Security Assessor (QSA) and certified as a PCI DSS Level 1 service provider — the highest level of compliance available in the payments industry. This certification covers our entire infrastructure, payment processing platform, tokenization services, and secure portal access.

What this means for you:

  • Annual certification renewal ensures we stay current with the latest standards

  • We maintain PCI DSS v4.1 compliance (the most current version)

  • Our PCI certification documentation is publicly available for your compliance needs

  • Attestation of Compliance documents are available upon request

Additional compliance standards

ISO 27001 for information security management

We maintain compliance with the ISO/IEC 27001 framework for information security management systems (ISMS). This covers both organizational and technical controls that protect your data and our infrastructure.

ISO 27701 for privacy information management

We also maintain ISO/IEC 27701 certification, which extends ISO 27001 with specific privacy management requirements. This demonstrates our commitment to protecting personal data and complying with privacy regulations like GDPR.

SOC 2 compliance

We're working toward SOC 2 certification to provide additional assurance about our security, availability, and confidentiality controls.

Additional compliance documentation: Our PCI certification is publicly available. For Attestation of Compliance documents and ISO 27001/SOC 2 artifacts, contact our team.

Our security approach

We protect your data through multiple layers of security controls across three main areas:

Each area has comprehensive protections designed to work together, ensuring your customers' data stays secure at every step.

Shared responsibility model

We've developed a comprehensive Shared Responsibility Matrix that clearly defines what Hyp handles and what we expect from merchants. This matrix helps you understand your security obligations based on your integration method.

Access to Shared Responsibility Matrix: The Shared Responsibility Matrix is available upon request from your Hyp representative.

Integration options for reduced PCI scope

We offer several integration methods designed to minimize your PCI compliance requirements:

  • Hyp-hosted payment pages - redirect or iframe integration

  • Tokenization - secure storage of payment methods

  • Server-to-server APIs - direct integration with full control

  • PCI-compliant POS terminals - for in-person payments

The method you choose determines your PCI compliance requirements. See the SAQ guide below to understand which approach is right for you.

Choosing your PCI compliance path

We help you achieve PCI compliance through secure integration methods. Your compliance requirements depend on how your systems interact with cardholder data:

Quick SAQ guide

SAQ A - Fully outsourced (easiest)

  • Use Hyp-hosted payment pages or iframes

  • Cardholder data never touches your systems

  • Minimal compliance requirements - mostly policy and vendor management

SAQ A-EP - E-commerce

  • You control the checkout page and collect the card data, but Hyp handles the processing

  • Card data stays at the web interface level and is not processed by your systems

  • Moderate compliance requirements - secure your web infrastructure

  • See Payment Page Security for implementation details

SAQ D - Direct integration (most control)

  • Your systems handle cardholder data directly

  • Full PCI compliance required - comprehensive security program needed

  • See Data Privacy and Network Security for requirements

Professional guidance recommended: You should always consult with a QSA (Qualified Security Assessor) for professional guidance before making final decisions about your PCI compliance approach. A QSA can provide expert assessment of your specific environment and requirements.

Determining your SAQ type

Work through these questions to find your compliance path:

  1. Do your systems store, process, or transmit cardholder data?

    • Yes → SAQ D

    • No → Continue to question 2

  2. Do you control the web page that collects cardholder data?

    • Yes → SAQ A-EP

    • No → SAQ A

Need help deciding? As part of the onboarding process, Hyp can help you determine which SAQ category applies to you. Consult your Hyp representative to learn more.

Related documentation

For more information about security implementation and best practices, see:

We're committed to helping you maintain a secure and compliant integration. If you have questions about compliance requirements or need help determining the right approach for your use case, our security team is here to help.

PreviousPagination in Transaction InquiriesNextData Privacy

Last updated

Was this helpful?