House notice · Compliance

The compliance program, in six articles.

Compliance at the house is the product, not a checkbox at the bottom of a procurement form. This is what we do, what we keep on file, and what your acquirer or auditor can ask to see.

  1. I.

    Card data and PCI DSS

    Card primary account numbers are held by our processing partners in a PCI DSS Level 1 certified environment. The house never receives or stores them. Our control plane operates against a SOC 2 program currently underway.

  2. II.

    Know your customer & business

    Every applicant is read against structured identity verification, business-registration validation against authoritative sources, and beneficial-owner attestation aligned with FinCEN customer due-diligence guidance.

  3. III.

    Sanctions and adverse media

    Continuous screening against OFAC SDN, UN, EU, and HMT consolidated sanctions lists, with adverse-media monitoring on principals and entities. Re-screening runs nightly and on demand.

  4. IV.

    Anti-money-laundering and monitoring

    Real-time monitoring with vertical-aware baselines, velocity controls, and a structured case-management workflow. The suspicious-activity escalation path is documented and audited.

  5. V.

    Restricted business policy

    We do not take onto the books any operator on the Visa BRAM or Mastercard BAU lists, or any operator engaged in conduct prohibited by our Acceptable use page. Reviews include vertical-specific licensing checks where applicable.

  6. VI.

    Audit and retention

    Every onboarding decision, every risk event, and every reviewer action is logged with an immutable timestamp and retained for the periods required under applicable regulation and card-network rule.

Frameworks the program is mapped to

Mapped to published standards.

The program is structured against PCI DSS v4.0, NIST CSF 2.0, FinCEN customer-due-diligence guidance, and the operating rules of Visa, Mastercard, American Express, and Discover. We coordinate with our acquiring partners on category-specific obligations, including BRAM, BAU, and high-risk MCC supplemental requirements.

PCI DSS v4.0·NIST CSF 2.0·FinCEN CDD·Visa BRAM·Mastercard BAU·SOC 2 (in progress)
Read the security & trust page →