Compliance as infrastructure

Compliance handled below your stack

topropay is a pure orchestration layer for high-volume merchants. We absorb PSD2, PCI DSS and 3DS2 into one API. You keep your acquirers and your approval rates. You carry far less of the audit.

  • L1 PCI DSS service-provider scope carried for you
  • PSD2 Strong customer authentication, built for PSD3
  • 3DS2 Frictionless and challenge flows on every route
  • EU Data handled under GDPR across member states

Every framework, one layer

The rules your payments must clear

EU payments span a thicket of regulation. We fold each rule set into the orchestration layer, so a single integration keeps you aligned across markets. For the buyer-facing summary see payment card industry PCI compliance; for card-flow scope see the credit card payment processor guide.

PSD2 / PSD3 · SCA

Strong customer authentication

We apply SCA exemptions where the rules allow them. Low-value and trusted-beneficiary flows skip a challenge. The rest route through 3DS2. You keep the lift on approval rates without breaking the law.

PCI DSS Level 2

Card data stays out of your servers

Card details are captured and vaulted inside our PCI-audited scope. Your systems see a token, never a PAN. That shrinks your own audit to the smallest SAQ tier we can support.

3DS2 · EMV

Authentication on every acquirer

One 3DS2 layer sits above all your routes. We request the right flow per transaction. Liability shifts to the issuer when the check passes. Cascading still recovers a soft decline behind it.

GDPR

Data handled inside the EU

Cardholder and transaction data is processed under GDPR. We hold a clear data-processing agreement. Retention is scoped to what payments and reconciliation truly need. Nothing is sold on.

KYC / AML

Onboarding and monitoring framework

Our framework supports merchant onboarding checks and ongoing transaction monitoring. Suspicious patterns are flagged for review. You stay aligned with acquirer and scheme rules across markets.

Reconciliation

An audit trail you can hand over

Every authorisation, retry, settlement and fee is logged in one ledger. Auditors get a clean, exportable record. Disputes get resolved against facts, not guesswork. One feed, every acquirer.

The orchestration boundary

We take the burden. You keep control.

There is no white-label lock-in here. The compliance weight moves to us. Your commercial relationships and your customer experience stay exactly where they are.

topropay absorbs

  • PCI DSS service-provider scope for captured card data
  • PSD2 SCA logic, exemptions and the 3DS2 request flow
  • Scheme and acquirer compliance rules per route
  • A single, exportable audit trail across acquirers

You retain

  • Your direct PSP and acquirer relationships
  • Your merchant-of-record status and pricing
  • Your checkout, brand and customer experience
  • Full control of routing policy in the dashboard

Onboarding

Into a compliant flow in three steps

  1. 01

    Scope review

    We map your current acquirers, card flows and audit obligations in one session. You see exactly which scope moves to us.

  2. 02

    Tokenised integration

    You point checkout at one API. Card data lands inside our PCI scope. No PAN ever touches your servers again.

  3. 03

    Go live with cover

    Routing, SCA and 3DS2 switch on together. You ship across EU markets with the compliance layer already in place.

Before you call

Questions a Head of Payments asks

Does topropay replace my acquirers?

No. We sit above them. You keep every PSP and acquirer relationship you already hold. We orchestrate the traffic and carry the compliance layer on top.

How much PCI scope can we hand over?

Card data is captured and vaulted in our audited scope. Your systems handle tokens only. Most merchants drop to a far smaller self-assessment as a result.

Will SCA hurt our approval rate?

Done well, it helps. We claim valid exemptions first and only challenge when needed. Cascading then recovers soft declines behind the authentication step.

Talk to our payments engineers

Ship across the EU with less to audit.

Book a discovery call. We map your acquirer setup, scope the compliance you can hand over, and model the approval-rate uplift from smart routing. One session, no rebuild.