// PCI COMPLIANCE

Stay in scope.
Skip the pain.

Hosted vault and network tokens keep PAN off your servers. SAQ-A scope on day one. Audit prep in days, not weeks. Level 1 attestation under the hood.

Apply for an accountSee the hosted vault
PCI-DSS v4.0 · ANNUAL CONTROLS
SAQ-D240controls when you handle PAN
SAQ-A22when Vonpay handles it
ANNUAL EFFORTWeeks of audit prep → Days. Same auditor. Different scope.
// CONTROL SPLIT

Who owns which control.

The 22 controls still on your plate are the ones that have to be — network segmentation, change management, quarterly scans. The 240-control surface for the cardholder data environment is ours.

CONTROL · OWNED BY
PCI-DSS Level 1 attestation (QSA-audited)
Annual
Cardholder data environment (CDE)
Hosted in our CDE
PAN encryption at rest & in transit
Managed
Key management & rotation (HSM)
Managed
Tokenization (network + vault)
Issued + lifecycle
3DS step-up + risk-based authentication
Pre-auth, in-scope
AVS, CVV, velocity, device fingerprint
Pre-auth screens
Network segmentation around your app
Your responsibility
Access controls + change management
Your responsibility
Annual SAQ-A self-assessment
Template provided
Submit
Quarterly external scan (ASV)
Light-touch
// AUDIT READY

Walk into your next QSA review with less to defend.

SAQ-A scope, Level 1 infrastructure, audit-ready logs from your first transaction. We hand you the SAQ scaffolding when underwriting wraps.

Apply for an accountTalk to underwriting