Docs
[PYMNT]

Compliance, Security & PCI-DSS Alignment

PYMNT processes payments through a hosted checkout architecture designed to minimize risk exposure while maintaining a seamless user experience.

Card payments are handled in a way that reduces PCI scope through domain separation, client-side encryption, and reliance on accredited payment partners.

Hosted checkout architecture

PYMNT uses a segmented hosted checkout flow to separate general checkout logic from sensitive card data entry.

The flow is structured as follows:

  • checkout.domain.tld — main checkout experience (order details, payment selection, and context)
  • cards.domain.tld — isolated card input environment

When a customer selects card payments, they are securely redirected from the main checkout to the dedicated card input environment.

This ensures that:

  • Card entry is isolated from the main application
  • Sensitive input is separated into a controlled environment
  • The PCI scope of the core platform is significantly reduced

Client-Side Encryption (CSE)

PYMNT uses Client-Side Encryption (CSE) for card payments.

This means:

  • Card data is encrypted directly in the browser before being transmitted
  • PLTFRMS systems never receive raw cardholder data in plaintext
  • Only encrypted payment payloads are forwarded to the payment processor

Decryption and processing of card data are handled exclusively by accredited Payment Service Provider (PSP) infrastructure.

PCI-DSS alignment

PYMNT is designed to align with PCI-DSS (Payment Card Industry Data Security Standard) principles through its architecture and operational controls.

Key design principles include:

  • Separation of card input into a dedicated domain (cards.domain.tld)
  • Use of client-side encryption for all sensitive card data
  • Strict separation between orchestration services and payment processing
  • No storage or processing of raw cardholder data within PLTFRMS systems

This architecture is designed to reduce PCI scope and ensure that sensitive payment operations are handled only by certified partners.

Payment processing responsibilities

Payment processing responsibilities are split across multiple layers:

  • PLTFRMS (PYMNT)

    • Handles checkout flow, orchestration, and payment lifecycle
    • Does not process or store raw card data

  • Accredited Payment Service Provider (PSP)

    • Performs card processing and decryption
    • Handles PCI-DSS certified payment operations
    • Connects to card networks and acquiring banks

This separation ensures compliance while maintaining flexibility and scalability.

Fund safeguarding

All financial flows are safeguarded through a licensed stichting derdengelden (third-party funds foundation) operated in partnership with the PSP ecosystem.

This ensures that:

  • Merchant funds are legally separated from operational funds
  • Customer payments are securely held and protected
  • Financial flows remain compliant with applicable regulations

Audit & compliance model

PYMNT follows a structured compliance and audit approach:

  • Internal PCI-DSS self-assessments (SAQ-aligned)
  • Continuous security and architecture reviews
  • Quarterly external audits for payment-related systems and controls
  • Alignment with PSP-managed PCI-DSS certified environments

Important clarification

While PYMNT is designed in alignment with PCI-DSS requirements:

  • PLTFRMS is not a PCI-DSS certified card processor
  • Card processing certification and compliance are handled by accredited PSP partners
  • PLTFRMS operates within a segmented architecture that reduces PCI scope and delegates sensitive operations to certified infrastructure

Why this matters

This architecture enables PYMNT to:

  • Reduce PCI compliance scope through isolation and segmentation
  • Maintain strong security boundaries for sensitive data
  • Ensure card data is never exposed to core platform systems
  • Rely on certified partners for regulated payment processing
  • Scale payment infrastructure safely across multiple products