Built for the controls banks and regulators require

Security and compliance

PaychainX is designed around defense in depth and independent verifiability. This page separates what is live in the gateway today from what is on the certification roadmap, with no overstated claims.

In plain English

PaychainX never holds the raw card number. It replaces it with a token, locks every door so no part of the system trusts another by default, and writes a tamper-evident receipt for each payment that a bank or auditor can verify without trusting us. Formal certifications like PCI and SOC are the next milestones, and we say so plainly rather than implying they are already done.

Live today Operational

TransportTLS 1.2 / 1.3, HTTP/2
EdgeCloudflare front
AuthenticationAPI key, 401 fast-fail
Card dataTokenized, no PAN held
Trust modelZero Trust, per-hop revalidation
AuditSHA-256 proof per payment
Integrity of retriesIdempotency keys
WebhooksHMAC-signed, retried, dead-lettered
LoggingImmutable audit records
InfrastructureUbuntu, Nginx, PM2, firewall

Roadmap In progress

PCI-DSS certificationIn progress
SOC 2Alignment, targeted
CMMC (government)Alignment, targeted
Integrity digest to SHA-512Roadmap
Post-quantum signatureML-DSA, roadmap
Secrets managerPlanned
Key rotation automationPlanned
Independent penetration testPlanned

We do not market a certification before it is real. Each roadmap item is stated as a target, not a current control.

What the gateway handles, and what it never touches

Minimizing the sensitive data in scope is the simplest way to shrink risk. The gateway operates on tokens and normalized result codes only.

Handled
Stored-credential tokenptok_…
Terminal / device IDsterm, device, store, lane
Normalized AVS / CVVmatch / no-match codes
Processor referencestxn id, attempt id
Proof identifiersproof_id, proof_hash
Never handled
Raw PANno
CVV valueno
Cardholder PIIno
Magnetic / chip datano
Plaintext secrets in logsno

Compliance frameworks, mapped

How the architecture lines up with the frameworks enterprise and government buyers ask about.

PCI DSS
Tokenization removes PAN from scope; TLS, access control, and audit logging in place. Formal certification in progress.
Aligning
SOC 2
Immutable audit trail, access control, and change evidence support the trust criteria. Audit targeted.
Targeted
CMMC
Zero Trust and audit standards position the platform for regulated and government deployment.
Targeted
KYC and KYB
Identity and business verification on merchant self-onboarding, supporting AML obligations. UI and UX roughly 95 percent complete, in the production phase.
Near production
Zero Trust
Every request independently validated, no implicit trust between services, device-level checks.
Live
Tamper-evident audit
SHA-256 proof per payment, deterministic and independently verifiable, recompute and compare.
Live
The differentiator

Audit you can verify without trusting the vendor

Most security claims ask you to take the provider's word. PaychainX seals each transaction in a cryptographic proof you can recompute yourself. A reviewer confirms the math in a browser, and tampering with any field breaks verification in front of them.

Verify a proofSee the artifacts

Honesty note: figures and controls reflect a reference and acceptance environment. Production-scale certification (PCI, SOC, CMMC) is in progress and not represented as complete. See the References page for the standards behind each control.