Payment Compliance
What Is Payment Compliance?
Payment compliance is the aggregate of regulatory, contractual, and technical obligations that organisations must satisfy to legally and securely accept, process, and store payment transactions. These obligations come from multiple directions simultaneously: card scheme technical standards (PCI DSS), EU financial services regulation (PSD2, DORA), anti-money laundering law (AML/KYC), data protection regulation (GDPR), and national banking supervisory requirements. Non-compliance has material consequences: card scheme fines up to €100,000 per month, GDPR penalties up to 4% of global annual turnover, and DORA enforcement action for financial entities and their ICT providers.
Key Payment Compliance Frameworks
PCI DSS – Payment Card Industry Data Security Standard
PCI DSS governs how cardholder data is stored, processed, and transmitted. Merchants are classified by annual transaction volume into compliance levels (1–4), each requiring different validation approaches—from external QSA audits for Level 1 merchants (over 6 million transactions annually) down to self-assessment questionnaires for Level 4. The dominant scope-reduction strategy is tokenisation: replacing raw PANs with tokens before they enter merchant systems removes those systems from PCI scope entirely.
PSD2, PSD3, and Strong Customer Authentication
PSD2 mandated Strong Customer Authentication (SCA) for electronic payment initiation across the EU and EEA: two of three factors (knowledge, possession, inherence). In practice, SCA is implemented through EMV 3D Secure 2 (3DS2). PSD3 and the accompanying PSR, currently in final legislative stages, will tighten SCA requirements further and extend open banking obligations.
DORA – Digital Operational Resilience Act
DORA, effective January 2025, imposes operational resilience obligations on financial entities and their critical ICT providers. Key requirements: major incident reporting to competent authorities within four hours, Threat-Led Penetration Testing (TLPT) for critical systems on a three-year cycle, and contractual resilience requirements for third-party ICT agreements. Payment platforms must either comply directly or document contractual reliance on DORA-compliant providers.
AML/KYC
Anti-Money Laundering and Know Your Customer obligations require payment operators to verify customer identities at onboarding, screen against sanctions lists, monitor transactions for suspicious activity, and file Suspicious Activity Reports. For embedded finance platforms and payment facilitators, KYC obligations extend to sub-merchant onboarding—adding a risk assessment layer before accepting new sellers or service providers.
How Hellgate Enables Compliance by Design
Hellgate's Composable Payment Architecture (cpa) is built with compliance by design. Guardian eliminates PCI scope for merchant systems by ensuring raw PANs never leave the vault boundary. Hub orchestrates SCA—automatically triggering 3DS2 based on Specter's risk score and applying PSD2 transaction risk exemptions where eligible. As a DORA-scoped ICT provider, Hellgate maintains the incident reporting procedures, TLPT programme, and third-party contractual resilience documentation that client financial entities need to satisfy their own DORA obligations through contractual reliance.