Data Privacy

As a PCI DSS Level 1–certified payment service provider, we maintain the highest standards of data protection while simplifying your compliance requirements. Our comprehensive approach handles the heavy lifting of data privacy so you can focus on running your business, with clear guidelines for responsibilities regardless of your integration method.

Data protection & minimization

We follow strict data minimization practices, storing only essential cardholder data for business operations and automatically removing unnecessary data. Transaction data is retained for 2 years for regulatory compliance, while tokenized data remains active throughout your merchant relationship. We never store sensitive authentication data such as CVV codes, PINs, or magnetic stripe data after transaction authorization — this information is immediately and securely wiped from memory.

Advanced encryption & security

All cardholder data is protected by multiple layers of security, including AES-256 encryption for stored data, TLS 1.2+ for data transmission, and format-preserving tokenization for recurring payments. Primary account numbers (PANs) are masked in all displays and safeguarded with strong encryption, annual key rotation, and dual-control access requirements.

Access control & monitoring

We implement comprehensive identity management with unique user IDs, multifactor authentication, and role-based access control based on least-privilege principles. Our Security Operations Center provides 24/7 monitoring through advanced SIEM platforms, with real-time threat detection, automated alerting, and detailed audit trails retained to meet compliance requirements.

Flexible integration options

We offer multiple integration paths to match your compliance needs: from SAQ A solutions with hosted payment pages that completely remove cardholder data from your environment, to SAQ A-EP e-commerce integrations with direct tokenization, to full SAQ D API integrations for merchants requiring complete control. Each option includes appropriate security measures and merchant support.

Compliance & data rights support

Beyond PCI DSS Level 1, we maintain ISO 27001 and ISO 27701 (privacy information management system) certifications, along with compliance with privacy regulations such as GDPR. We're also working toward SOC 2 Type II certification to provide additional security assurance. We provide automated tools for data subject rights requests, secure data access portals, and comprehensive compliance documentation, including Attestation of Compliance (AoC) for merchants. Together, these measures ensure you meet all regulatory requirements with confidence.