Trust & compliance
Compliance posture for payments saas
One audited environment behind every SaaS sub-merchant. Inherited posture across PCI,
SCA, recurring-MIT, sanctions and data residency.
- PCI DSS Level 1
- Annual on-site assessment plus quarterly ASV scans; SaaS sub-merchants inherit the posture rather than carrying it themselves.
- SCA & PSD2
- Selective 3DS2 challenges on first authorisation; recurring renewals run on MIT exemptions where allowed by the scheme.
- Strong recurring posture
- Network tokens, scheme account updaters and MIT / CIT flagging on every recurring auth keep the cohort approval-rate stable across re-issuance cycles.
- Sanctions & AML alignment
- Sanctions screening on onboarding; AML monitoring tuned per SaaS merchant vertical and volume profile.
- Data residency
- Card data vaulted in the topropay PCI environment; per-tenant data residency available for EU / UK SaaS customers under contract.
- Licensed verticals only
- Licensed gaming, regulated financial services and other compliance-bound verticals supported only where current operating licences exist. Grey and black-market verticals are out of scope regardless of SaaS framing.