# Compliance & Security Overview We've built Hyp with security and compliance as foundational principles. As a PCI DSS Level 1 service provider, we help merchants reduce their compliance burden while ensuring robust protection of cardholder data. Our security approach is designed to give you confidence in your payment processing while simplifying your compliance requirements. We maintain the highest industry certifications and follow best practices so you can focus on your business while we handle the complex security requirements. ## PCI DSS Level 1 certification We're audited annually by a Qualified Security Assessor (QSA) and certified as a PCI DSS Level 1 service provider — the highest level of compliance available in the payments industry. This certification covers our entire infrastructure, payment processing platform, tokenization services, and secure portal access. **What this means for you:** * Annual certification renewal ensures we stay current with the latest standards * We maintain PCI DSS v4.1 compliance (the most current version) * Our [PCI certification documentation](https://hyp.co.il/pci-certificates/) is publicly available for your compliance needs * Attestation of Compliance documents are available upon request ## Additional compliance standards ### ISO 27001 for information security management We maintain compliance with the ISO/IEC 27001 framework for information security management systems (ISMS). This covers both organizational and technical controls that protect your data and our infrastructure. ### ISO 27701 for privacy information management We also maintain ISO/IEC 27701 certification, which extends ISO 27001 with specific privacy management requirements. This demonstrates our commitment to protecting personal data and complying with privacy regulations like GDPR. ### SOC 2 compliance We're working toward SOC 2 certification to provide additional assurance about our security, availability, and confidentiality controls. {% hint style="info" %} **Additional compliance documentation:** Our [PCI certification](https://hyp.co.il/pci-certificates/) is publicly available. For Attestation of Compliance documents and ISO 27001/SOC 2 artifacts, [contact our team](mailto:cg-support@hyp.co.il). {% endhint %} ## Our security approach We protect your data through multiple layers of security controls across three main areas: * [Data Privacy](https://developers.hyp.co.il/advanced-security-guidelines/data-privacy) - How we handle, encrypt, and protect cardholder data * [Network Security](https://developers.hyp.co.il/advanced-security-guidelines/network-security-at-hyp) - Our network architecture, infrastructure protections, and [supported cipher suites](https://developers.hyp.co.il/network-security-at-hyp#supported-cipher-suites) * [Payment Page Security](https://developers.hyp.co.il/advanced-security-guidelines/payment-page-security) - Browser-level protections and iframe security Each area has comprehensive protections designed to work together, ensuring your customers' data stays secure at every step. ## Shared responsibility model We've developed a comprehensive Shared Responsibility Matrix that clearly defines what Hyp handles and what we expect from merchants. This matrix helps you understand your security obligations based on your integration method. {% hint style="warning" %} **Access to Shared Responsibility Matrix:** The Shared Responsibility Matrix is available upon request [from your Hyp representative](mailto:sales@hyp.co.il). {% endhint %} ## Integration options for reduced PCI scope We offer several integration methods designed to minimize your PCI compliance requirements: * **Hyp-hosted payment pages** - redirect or iframe integration * **Tokenization** - secure storage of payment methods * **Server-to-server APIs** - direct integration with full control * **PCI-compliant POS terminals** - for in-person payments The method you choose determines your PCI compliance requirements. See the SAQ guide below to understand which approach is right for you. ## Choosing your PCI compliance path We help you achieve PCI compliance through secure integration methods. Your compliance requirements depend on how your systems interact with cardholder data: ### Quick SAQ guide **SAQ A - Fully outsourced (easiest)** * Use Hyp-hosted payment pages or iframes * Cardholder data never touches your systems * **Minimal compliance requirements** - mostly policy and vendor management **SAQ A-EP - E-commerce** * You control the checkout page and collect the card data, but Hyp handles the processing * Card data stays at the web interface level and is not processed by your systems * **Moderate compliance requirements** - secure your web infrastructure * See [Payment Page Security](https://developers.hyp.co.il/advanced-security-guidelines/payment-page-security) for implementation details **SAQ D - Direct integration (most control)** * Your systems handle cardholder data directly * **Full PCI compliance required** - comprehensive security program needed * See [Data Privacy](https://developers.hyp.co.il/advanced-security-guidelines/data-privacy) and [Network Security](https://developers.hyp.co.il/advanced-security-guidelines/network-security-at-hyp) for requirements {% hint style="info" %} **Professional guidance recommended:** You should always consult with a QSA (Qualified Security Assessor) for professional guidance before making final decisions about your PCI compliance approach. A QSA can provide expert assessment of your specific environment and requirements. {% endhint %} ### Determining your SAQ type Work through these questions to find your compliance path: 1. **Do your systems store, process, or transmit cardholder data?** * Yes → **SAQ D** * No → Continue to question 2 2. **Do you control the web page that collects cardholder data?** * Yes → **SAQ A-EP** * No → **SAQ A** {% hint style="info" %} **Need help deciding?** As part of the onboarding process, Hyp can help you determine which SAQ category applies to you. [Consult your Hyp representative](mailto:sales@hyp.co.il) to learn more. {% endhint %} ## Related documentation For more information about security implementation and best practices, see: * [Payment Page Security](https://developers.hyp.co.il/advanced-security-guidelines/payment-page-security) * [Network Security at Hyp](https://developers.hyp.co.il/advanced-security-guidelines/network-security-at-hyp) * [Data Privacy](https://developers.hyp.co.il/advanced-security-guidelines/data-privacy) We're committed to helping you maintain a secure and compliant integration. If you have questions about compliance requirements or need help determining the right approach for your use case, our security team is here to help. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://developers.hyp.co.il/advanced-security-guidelines/compliance-and-security-overview.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.