Vaulting

Payment sovereignty is an architecture decision

Payment sovereignty is an architecture decision

Payment sovereignty is an architecture decision

Jens Kohnen
Jens Kohnen
Co-Founder & Chief of Revenue and growth at Starfish & Co. – creators of Hellgate®
Co-Founder & Chief of Revenue and growth at Starfish & Co. – creators of Hellgate®

Dependency used to be invisible. Then it wasn't.

Three moments, three years, one lesson.

March 2022: Visa and Mastercard suspend their operations in Russia over a single weekend. Cards issued by Russian banks stop working abroad. Foreign cards stop working in the country. Two private companies switch off the payment rails of an entire economy, effective almost immediately.

July 2024: a faulty software update from CrowdStrike crashes roughly 8.5 million Windows machines worldwide, by Microsoft's own estimate. Flights grounded, hospitals disrupted, checkouts frozen. Parametrix later estimated 5.4 billion dollars in direct losses for US Fortune 500 companies alone. One vendor, one update, one afternoon.

2025: after US sanctions were imposed on the chief prosecutor of the International Criminal Court, he reportedly lost access to his Microsoft email account. Whatever the precise mechanism, the episode became Europe's reference case for a question nobody wanted to ask out loud: what happens when infrastructure you depend on answers to a jurisdiction you don't control?

Different events. Same pattern. Infrastructure you don't control can be switched off, degraded, or repriced. Rarely on your schedule. Never with your consent.

In payments, the dependency runs deeper than the cloud

The sovereignty debate in Europe is dominated by cloud infrastructure, and for good reason. But for merchants, the sharpest dependencies sit inside the payment stack itself.

The European Central Bank put numbers on part of it in early 2025: international card schemes handled roughly 61 percent of euro-area card payments, and 13 euro-area countries have no domestic card scheme at all. That is the rail layer, and merchants can't change it alone.

What merchants can change is the layer directly above it. And that layer is where the quiet lock-in lives:

Your payment credentials. Most PSPs tokenize your customers' cards into proprietary gateway tokens. Those tokens work with exactly one provider: theirs. Want to switch? Your stored credentials don't come with you. Migration means months of re-tokenization projects, or worse, asking customers to re-enter their card details. Every re-entry request loses revenue, permanently. Your customer relationships are held hostage by a token format.

Your routing. In a single-PSP stack, the provider decides how transactions flow, which acquirer sees them, and what happens on a decline. Your authorization rate is a function of decisions you don't make.

Your data. Every provider has its own dashboard, its own webhook format, its own reporting logic. Cross-provider reconciliation becomes a manual craft. The picture of your own payment business is fragmented across other people's systems.

None of this is malicious. It is simply how walled gardens work. Convenience on the way in, cost on the way out.

Why we built Hellgate®

Hellgate exists because we believe payment infrastructure should empower businesses, not bind them.

The rest of the enterprise stack learned this lesson years ago. Nobody builds on a single, monolithic, take-it-or-leave-it system anymore. Modern infrastructure is composable: independent components, open interfaces, providers you can swap. Payments is the last major domain where the walled garden is still sold as a feature.

Composable Payment Architecture is our answer. Independent components, each solving one problem well, each integrating with the others, none requiring the rest. You use what you need. You own what matters.

What independence looks like in practice

Guardian - PCI Vault & Tokenization. The core of credential sovereignty. Guardian is a provider-agnostic vault where you own the token-to-PAN mapping. It issues network tokens with Visa and Mastercard under your own Token Requestor ID, so your credentials are registered to you, not to your PSP. The practical consequence: switching acquirers or PSPs becomes an infrastructure change, not a customer-facing event. No re-tokenization project. No "please re-enter your card." And because PANs never touch your systems, your PCI scope shrinks dramatically.

Link - PSP Abstraction. One versioned integration, access to any acquirer or PSP. Adding a provider stops being a quarter-long engineering project. When switching costs approach zero, negotiating power returns to where it belongs.

Hub - Orchestration Fabric. Routing logic you define and control: multi-acquirer routing, retries, fallbacks. Your transactions flow according to your rules, not your provider's defaults.

Pulse - Observability & Metrics. Your transaction data, normalized across providers, in one place. Reconciliation and performance analysis without stitching together six dashboards.

Each component removes one dependency. Together, they change the relationship between merchant and provider from captivity to choice.

The infrastructure layer: your cloud, your decision

The same principle applies one layer down.

Hellgate runs on dedicated, single-tenant infrastructure, and where that infrastructure lives is your call. Azure, AWS, GCP, or a European sovereign cloud. We don't pick your cloud provider any more than we pick your acquirer.

For European enterprises with hard sovereignty requirements, that choice now includes STACKIT. Hellgate Guardian is available on the STACKIT Marketplace, the sovereign cloud operated by Schwarz Digits, with data centers exclusively in Germany and Austria and, in STACKIT's own framing, no exposure to non-European law.

To be clear about what this is and isn't: this is not Hellgate replacing one cloud with another. It is an additional option, because provider-agnosticism that stops at the hosting layer isn't provider-agnosticism. Some of our customers are perfectly served on Azure. Others have regulatory, contractual, or strategic reasons to keep card data on European soil under European jurisdiction. Both get the same Hellgate. The choice is theirs, which is precisely the point.

Sovereignty is not a feature. It's a structure.

You cannot buy independence as an add-on to a dependent architecture. A walled garden with a "data residency" checkbox is still a walled garden.

Independence is structural. It comes from owning your credentials, controlling your routing, holding your data, and choosing your infrastructure, each as a deliberate decision rather than a default you inherited from your first PSP contract.

The events of the last few years didn't create these dependencies. They made them visible. What you do with that visibility is an architecture decision.

Book a demo → hellgate.io/demo

Jens Kohnen
Jens Kohnen
Jens Kohnen
Co-Founder & Chief of Revenue and growth at Starfish & Co. – creators of Hellgate®
Co-Founder & Chief of Revenue and growth at Starfish & Co. – creators of Hellgate®

Jens Kohnen was driven to co-start the company by the conviction that payment infrastructure should empower businesses, not bind them. Recognizing that many large organizations were locked into monolithic, opaque setups, Jens embarked on a journey to free enterprises from these rigid stacks. His mission is to enable companies to regain full ownership and monetize their flows, transforming payments from a cost center into a strategic lever for growth.