Security Center

Security Is Our Foundation
Not an Afterthought

Every decision at Paymentgate — from database schema design to network architecture — is made security-first. We protect billions in annual payments across 180 countries with a zero-compromise posture.

94%
Fraud Catch Rate
0.12%
False Positives
5 Tbps
DDoS Capacity
Zero
Major Breaches
15 min
P0 Response SLA
Compliance & Certifications

Independently Audited — Every Year

Every certification is third-party audited, not self-assessed. Compliance artefacts available to enterprise customers under NDA.

PCI DSS Level 1
Active · QSA Audited

Highest tier. Annual on-site QSA audit covers all six control categories: cardholder data environment, network security, vulnerability management, access control, monitoring, and policy.

Last audit: Jan 2026
SOC 2 Type II
Active · 6-Month Period

All five Trust Service Criteria tested over a continuous six-month period: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Available under NDA.

Last report: Oct 2025 – Mar 2026
ISO 27001:2022
Certified · TÜV Rheinland

ISMS certification issued by TÜV Rheinland. Annual surveillance audits with triennial full recertification. Covers risk management, asset management, access control, and incident response.

Certified since 2018 · Renewed Feb 2026
GDPR
Compliant · DPA Included

Full EU and UK GDPR compliance. We act as data processor for merchant customer data. Signed DPA included with all plans. EU data residency ensures data never leaves the EEA.

DPA: GDPR Article 28 compliant
Encryption

Encryption at Every Layer

Data is protected in transit, at rest, and in use — with no single point of key exposure anywhere in the stack.

TLS 1.3 in Transit
All API connections enforce TLS 1.3 minimum with HSTS preloading and certificate pinning. TLS 1.0 and 1.1 are permanently disabled across all endpoints.
AES-256-GCM at Rest
All cardholder data is encrypted at rest using AES-256-GCM. Encryption keys are managed by FIPS 140-2 Level 3 HSMs with automated 90-day rotation schedules.
Network Tokenisation
Raw PANs are replaced with network tokens at the point of ingestion. The real card number never touches merchant servers, dramatically reducing PCI scope to SAQ A.
HSM Key Hierarchy
FIPS 140-2 Level 3 Hardware Security Modules manage the master key hierarchy. Key material never exists in plaintext outside the HSM boundary at any point.
AI Fraud Detection Flow
Device
Fingerprint
IP & Geo
Signals
Velocity
History
Feature Aggregation — 200+ Signals
Transformer Fraud Model
Sub-50ms · Retrained daily · Billions in training data
AUTHORISE
BLOCK
End-to-end latency: < 50ms
Fraud & Risk

ML-Powered Fraud Detection

Every transaction is scored before authorisation. Our transformer model processes 200+ signals in under 50ms — invisible to the customer.

200+
Risk Signals
Device fingerprint, IP reputation, velocity checks, behavioural biometrics, and card network signals combined.
<50ms
Scoring Latency
Sub-50ms p99 fraud score added to authorisation with zero perceptible checkout delay.
94%
Catch Rate
94% of fraudulent transactions blocked before network authorisation. Model retrained daily.
Shifted
Chargeback Liability
3DS2 step-up challenges on flagged transactions shift chargeback liability away from the merchant.
Infrastructure Security

Defence in Depth

Four independent security layers — each designed assuming all others have already been breached.

Network Layer

Outermost

Multi-provider DDoS scrubbing at 5 Tbps capacity. WAF with OWASP Top 10 rules. TLS 1.3 only with HSTS preloading. Certificate pinning on all API endpoints.

5 Tbps DDoSWAF (OWASP)TLS 1.3 OnlyCertificate Pinning

Application Layer

API & Data

PANs tokenised at ingestion. AES-256-GCM at rest. HSM-managed key rotation every 90 days. Least-privilege IAM with hardware MFA enforced for all production access.

TokenisationAES-256-GCMHSM KeysLeast-Privilege IAM

Transaction Layer

Intelligence

ML fraud scoring before any authorisation request. Velocity checks across card, email, and IP. Device fingerprinting. 3DS 2.2 step-up challenges on high-risk transactions.

ML Fraud ScoringVelocity Checks3DS 2.2

Compliance Layer

Regulatory

Continuous AML monitoring. KYC/KYB at onboarding and periodically thereafter. Real-time sanctions screening against OFAC, EU, UN, and HMT lists.

AML MonitoringKYC / KYBSanctions Screening
Pen Testing & SOC

Annual Penetration Testing & 24/7 SOC

CREST-certified independent security firms conduct full-scope penetration tests annually. Scope covers external perimeter, API layer, internal network segmentation, cloud configuration, and social engineering simulations.

Our Security Operations Centre runs 24/7. P0 incidents receive a guaranteed human response within 15 minutes. Affected merchants are notified within one hour of a confirmed incident. Full post-mortems are published publicly within five business days.

CREST Certified Annual Scope 24/7 SOC 15-min P0 SLA

EU Data Residency

All cardholder data, transaction records, and audit logs remain within the EEA when EU residency is enabled. Data never transits to US or APAC infrastructure.

Stockholm — Primary
Main production region. All EU data originates and is processed here.
Frankfurt — Secondary
Synchronous replication for high availability. Active-active configuration.
Amsterdam — Failover
Asynchronous backup. Disaster recovery RTO under 4 hours.
GDPR Article 28 DPA
Signed Data Processing Agreement included with all plans at no extra cost.
Responsible Disclosure

Security Researchers Welcome

We operate a public bug bounty programme through HackerOne. All good-faith researchers are protected by our safe harbour policy — we never pursue legal action against researchers following responsible disclosure guidelines.

Rewards from €500 to €10,000 by severity
48-hour acknowledgement SLA
72-hour remediation commitment for Critical
Safe harbour for good-faith researchers
PGP-encrypted disclosure channel available
Report a Vulnerability
PGP key available on request. Response SLA: 48 hours.
Bounty Reward Tiers
Critical (CVSS ≥ 9.0) €5,000 – €10,000
High (CVSS 7.0–8.9) €1,500 – €5,000
Medium (CVSS 4.0–6.9) €500 – €1,500
Bug Bounty Programme
Public programme · Managed triage · Rewards on validation

Security FAQ

Common security questions from merchants and enterprise buyers.

No. Since our founding in Stockholm in 2014 we have not suffered a breach of cardholder data or merchant credentials. Our zero-breach record is maintained through network tokenisation (raw PANs never persist longer than necessary), HSM key management, continuous penetration testing, and a 24/7 SOC with a 15-minute P0 response SLA.
Yes. EU data residency is available on Growth and Enterprise plans. When enabled, all cardholder data, transaction records, and audit logs are confined to our Stockholm (primary), Frankfurt (secondary), and Amsterdam (failover) data centres. No data is ever replicated to US or APAC regions. A GDPR Article 28 DPA is provided automatically with all plans.
Yes. Our current SOC 2 Type II report is available under mutual NDA to enterprise customers, investors, and auditors. The ISO 27001:2022 certificate issued by TÜV Rheinland is available on request without NDA. Email [email protected] with your company name and intended use; we typically respond within two business days.
All production access requires hardware MFA. Access is granted on a least-privilege, need-to-know basis with automated quarterly access reviews. All privileged actions are logged to an immutable audit trail accessible only to the security team. No single engineer can access raw cardholder data unilaterally — all CDE access requires a dual-authorisation workflow.
Critical vulnerabilities (CVSS ≥ 9.0) are remediated within 24 hours of confirmed identification. High (CVSS 7.0–8.9) within 7 days. Medium (CVSS 4.0–6.9) within 30 days. Low within 90 days. All findings from our CREST-certified penetration tests are tracked in our vulnerability management system and verified closed by re-test.
Every webhook delivery includes a pg-signature header containing an HMAC-SHA256 computed over the raw request body using your webhook secret. Our SDKs provide a one-line verification method. A timestamp in the signature prevents replay attacks older than 5 minutes from being accepted.

Security Documentation

Compliance artefacts for due diligence, vendor assessments, and enterprise procurement.

PCI AoC

Attestation of Compliance signed by our QSA. Required for formal vendor assessments and procurement in card-acceptance environments.

Current YearQSA Signed

ISO 27001 Certificate

Current ISO/IEC 27001:2022 certificate issued by TÜV Rheinland. Covers the full scope of Paymentgate's payment processing and corporate IT systems.

ISO 27001:2022TÜV Rheinland

SOC 2 Type II Report

Full SOC 2 Type II report covering a six-month audit period. Available under mutual NDA to enterprise customers, investors, and auditors.

NDA RequiredAll 5 TSC

Download the Security Whitepaper

Detailed technical documentation covering our architecture, encryption design, and compliance controls — built for security teams and enterprise procurement workflows.

Request Whitepaper PCI Compliance Guide