- PCI DSS Level 1 (card side)
- Sofort is bank-rail and therefore outside PCI scope; the wider platform posture covers card data on the merchant's other accepted methods.
- PSD2 SCA on bank side
- Strong customer authentication is handled by the buyer's bank during the Sofort redirect. The merchant inherits the compliance posture without integrating SCA themselves for the bank rail.
- AML & sanctions alignment
- Sanctions screening at onboarding; AML monitoring tuned per merchant vertical, volume and country mix — including the German market specifics.
- Klarna group connectivity
- Sofort connectivity is delivered through Klarna's licensed infrastructure; the merchant inherits the Klarna group's scheme-side compliance posture for the method.
- Audit-grade event log
- Every Sofort transaction's lifecycle is logged with timestamp, bank response code and actor identity for SOC / ISAE attestation evidence.
- Licensed verticals only
- Licensed gaming, regulated financial services and other compliance-bound verticals supported only where current operating licences exist. Grey and black-market verticals are out of scope regardless of which method is used.