EPaySe
Trust & Security

Compliance & Security

We maintain the highest standards of security and regulatory compliance to protect your business and your customers' data.

Last updated: April 5, 2026

PCI-DSS Level 1

Highest level of payment card industry compliance

SOC 2 Type II

Audited security, availability & confidentiality controls

ISO 27001

International information security management standard

GDPR

EU General Data Protection Regulation compliant

1. Overview

EPaySe is committed to maintaining the highest standards of security, privacy, and regulatory compliance. As a payment facilitator processing transactions across 173+ countries, we understand that trust is the foundation of every payment.

Our compliance program is designed to meet or exceed the requirements of international payment card industry standards, data protection regulations, and information security best practices. We undergo regular independent audits and continuously monitor our systems to ensure ongoing compliance.

2. PCI-DSS Level 1

EPaySe is certified as a PCI-DSS Level 1 Service Provider, the highest level of certification available in the Payment Card Industry Data Security Standard. Level 1 is required for organizations processing over 6 million card transactions annually.

What This Means

  • Annual on-site assessment by a Qualified Security Assessor (QSA)
  • Quarterly network vulnerability scans by an Approved Scanning Vendor (ASV)
  • Annual penetration testing of all cardholder data environments
  • Continuous monitoring of all systems that store, process, or transmit cardholder data

Key Controls

  • Tokenization — Card numbers are tokenized at the point of entry and never stored in raw form
  • Encryption — All cardholder data is encrypted using AES-256 at rest and TLS 1.3 in transit
  • Network segmentation — Cardholder data environments are isolated from all other systems
  • Access control — Strict role-based access with multi-factor authentication for all administrative access
  • Audit logging — Comprehensive logging of all access to cardholder data with tamper-proof storage

3. SOC 2 Type II

Our SOC 2 Type II report, issued by an independent CPA firm, covers the Security, Availability, and Confidentiality trust service criteria. Unlike Type I (point-in-time), Type II evaluates our controls over an extended audit period, demonstrating sustained operational effectiveness.

Trust Service Criteria

  • Security — Protection against unauthorized access through firewalls, intrusion detection, and multi-factor authentication
  • Availability — Our platform maintains 99.9% uptime SLA with redundant infrastructure across multiple regions
  • Confidentiality — Sensitive data is classified, encrypted, and access-controlled throughout its lifecycle

4. ISO 27001

EPaySe maintains an Information Security Management System (ISMS) certified to ISO/IEC 27001:2022. This international standard provides a systematic approach to managing sensitive company and customer information.

Our ISMS Covers

  • Risk assessment and risk treatment methodologies
  • Information security policies and procedures
  • Asset management and classification
  • Human resource security (background checks, security training)
  • Physical and environmental security
  • Communications and operations management
  • Business continuity management
  • Supplier relationship security

5. GDPR Compliance

EPaySe fully complies with the General Data Protection Regulation (GDPR) for all personal data processed from the European Economic Area (EEA), United Kingdom, and Switzerland.

Data Subject Rights

We support all rights granted under GDPR, including:

  • Right to access — Request a copy of your personal data
  • Right to rectification — Correct inaccurate personal data
  • Right to erasure — Request deletion of personal data (subject to legal retention requirements)
  • Right to portability — Receive your data in a machine-readable format
  • Right to object — Object to processing based on legitimate interests
  • Right to restrict processing — Limit how we use your data

Data Processing

  • Lawful basis — We process personal data based on contract performance, legal obligations, and legitimate interests
  • Data minimization — We collect only the data necessary for payment processing and regulatory compliance
  • Data Protection Officer — Our DPO can be contacted at [email protected]

6. Data Protection

Encryption

  • At rest — AES-256 encryption for all stored data, with hardware security modules (HSM) for key management
  • In transit — TLS 1.3 enforced on all connections; TLS 1.2 minimum with strong cipher suites
  • Key rotation — Cryptographic keys are rotated on a regular schedule with 24-hour grace periods

Access Controls

  • Role-based access control (RBAC) with principle of least privilege
  • Multi-factor authentication (MFA) required for all internal and merchant admin access
  • Passkey/WebAuthn support for phishing-resistant authentication
  • Session management with configurable timeouts and automatic lockout
  • IP whitelisting available for API access

API Security

  • HMAC-SHA256 authentication — Every API request is signed with a cryptographic signature
  • Nonce replay prevention — Each request includes a unique nonce to prevent replay attacks
  • Timestamp validation — Requests are rejected if the timestamp drifts more than 5 minutes
  • Rate limiting — Multi-layer rate limiting at Cloudflare, Nginx, and application levels

7. Fraud Prevention

EPaySe employs a 13-layer fraud detection system that combines rule-based engines, machine learning models, and behavioral analysis to protect merchants and cardholders.

Defense Layers

  • Cloudflare WAF and DDoS protection
  • Nginx rate limiting and connection throttling
  • CAPTCHA verification (Cloudflare Turnstile)
  • Application-level rate limiting
  • HMAC signature verification
  • API key validation with expiration management
  • IP whitelisting and geolocation rules
  • Session encryption and CSRF protection
  • Two-factor authentication and passkeys
  • Content Security Policy (CSP) headers
  • Input validation and parameterized queries
  • Permission gates and authorization policies
  • AI-powered behavioral anomaly detection

3D Secure

We support 3D Secure 2.0 (EMV 3DS) for strong customer authentication (SCA), meeting PSD2 requirements for European transactions. Our system intelligently routes transactions through 3DS based on risk assessment, merchant configuration, and regulatory requirements.

8. Infrastructure Security

Cloud Infrastructure

  • Hosted on enterprise-grade cloud infrastructure with SOC 2 certified providers
  • Multi-region deployment for high availability and disaster recovery
  • Automated failover with less than 30-second recovery time
  • 99.9% uptime SLA backed by redundant systems

Network Security

  • Web Application Firewall (WAF) with custom rulesets
  • DDoS mitigation through Cloudflare's global network
  • Network segmentation between payment processing and application layers
  • Intrusion detection and prevention systems (IDS/IPS)
  • 24/7 security monitoring with automated alerting

Vulnerability Management

  • Continuous automated vulnerability scanning
  • Annual penetration testing by certified third parties
  • Responsible disclosure program for security researchers
  • Regular patching cadence with emergency patch SLAs

9. Incident Response

EPaySe maintains a comprehensive Incident Response Plan (IRP) that defines procedures for identifying, containing, eradicating, and recovering from security incidents.

Response Timeline

  • Detection — Automated monitoring detects anomalies within minutes
  • Triage — Security team assesses severity within 15 minutes of detection
  • Notification — Affected merchants notified within 24 hours for high-severity incidents
  • Resolution — Critical incidents targeted for resolution within 4 hours
  • Post-mortem — Root cause analysis and preventive measures documented within 72 hours

Breach Notification

In the event of a data breach involving personal data, we will notify affected individuals and relevant supervisory authorities within 72 hours as required by GDPR, and comply with all applicable breach notification laws in the jurisdictions where we operate.

10. Merchant Obligations

As a merchant using EPaySe, you share responsibility for maintaining security standards:

Required

  • Maintain PCI-DSS compliance appropriate to your transaction volume
  • Use strong, unique API keys and rotate them regularly
  • Implement HMAC signature verification for all API interactions
  • Enable two-factor authentication for all dashboard users
  • Configure IP whitelisting for API access when possible
  • Report suspected security incidents to our team immediately

Recommended

  • Enable webhook signature verification
  • Use our fraud prevention rules and configure custom thresholds
  • Review transaction logs regularly for suspicious activity
  • Keep your integration up to date with our latest SDK versions

11. Contact Us

For compliance inquiries, security concerns, or to request our latest audit reports:

To report a security vulnerability, please email our security team directly. We acknowledge all reports within 24 hours and aim to provide an initial assessment within 72 hours. We appreciate responsible disclosure and will work with you to understand and address the issue.