- PCI DSS Level 1
- Annual on-site assessment plus quarterly ASV scans; sub-merchants inherit the posture. The hired developer doesn't build PCI infrastructure — they build against a PCI L1 vault.
- GDPR posture
- GDPR payment processing on the platform: personal data minimisation, data-subject-request handling, EEA data residency where required. The developer's integration inherits the wider GDPR posture.
- SCA & PSD2
- Selective 3DS2 on the authorisation path — PSD2-compliant in Europe without breaking conversion. Ships as an SDK behaviour, not merchant-side code.
- Sanctions & AML
- Sanctions screening at onboarding; AML monitoring tuned per merchant vertical. Not something the developer wires — it happens at the platform boundary.
- Licensed verticals only
- Licensed gaming, regulated financial services and other compliance-bound verticals supported only where current operating licences exist. Grey and black-market verticals are out of scope regardless of who writes the integration code.