PCI DSS Compliance Statement

Last updated: 10/17/2025

Payment Card Industry Data Security Standard (PCI DSS)

SecurePointAfrica is committed to maintaining the highest standards of payment security and compliance with the Payment Card Industry Data Security Standard (PCI DSS). This statement outlines our approach to protecting payment card data and ensuring secure payment processing.

Our Payment Processing Architecture

🔒 Secure Payment Gateway Integration

We do not store, process, or transmit payment card data directly. All payment processing is handled by PCI DSS Level 1 certified payment providers:

  • Stripe: Level 1 PCI DSS certified service provider
  • Paystack: PCI DSS compliant payment processor
  • Flutterwave: PCI DSS compliant payment processor
  • Mercury Banking: FDIC-insured US banking partner

💰 Settlement Architecture

All payments are settled securely to our US banking partner Mercury:

  • • All gateways settle in USD to Mercury account
  • • Secure routing and account number processing
  • • FDIC insurance protection
  • • Real-time settlement monitoring

PCI DSS Requirements Compliance

1. Build and Maintain Secure Networks

  • • Firewall protection and network segmentation
  • • Secure network architecture design
  • • Regular network security assessments
  • • Encrypted communication channels

2. Protect Cardholder Data

  • • No storage of payment card data on our systems
  • • Tokenized payment processing
  • • Encryption of sensitive data in transit
  • • Secure data handling procedures

3. Maintain Vulnerability Management

  • • Regular security updates and patches
  • • Vulnerability scanning and assessment
  • • Secure coding practices
  • • Third-party security evaluations

4. Implement Strong Access Control

  • • Role-based access control (RBAC)
  • • Multi-factor authentication (MFA)
  • • Regular access reviews and audits
  • • Principle of least privilege

5. Regularly Monitor Networks

  • • Continuous network monitoring
  • • Intrusion detection systems
  • • Security event logging and analysis
  • • Real-time threat detection

6. Maintain Information Security Policy

  • • Comprehensive security policies and procedures
  • • Regular security awareness training
  • • Incident response procedures
  • • Regular policy reviews and updates

Data Security Measures

Encryption

  • • TLS 1.3 for data in transit
  • • AES-256 for data at rest
  • • End-to-end encryption
  • • Key management best practices

Access Controls

  • • Multi-factor authentication
  • • Role-based permissions
  • • Session management
  • • Regular access audits

Third-Party Payment Providers

Certified Payment Processors

All payment processing is handled by PCI DSS certified third-party providers:

  • Stripe: PCI DSS Level 1 Service Provider (Certificate #2016-001)
  • Paystack: PCI DSS Compliant Service Provider
  • Flutterwave: PCI DSS Compliant Service Provider
  • Mercury: FDIC-insured banking partner

Data Flow Architecture

Payment data flows securely through our certified partners:

Customer → Payment Gateway → Mercury Banking

• Card data never touches our servers

• Tokenized payment processing

• Secure settlement to Mercury account

Audit and Compliance

We maintain ongoing PCI DSS compliance through:

  • Annual PCI DSS compliance assessments
  • Quarterly vulnerability scans
  • Regular penetration testing
  • Continuous compliance monitoring
  • Third-party security audits

Incident Response

In the event of a security incident involving payment data, we have established procedures for:

  • Immediate incident containment
  • Forensic investigation
  • Regulatory notification
  • Customer communication
  • Remediation and prevention

Contact Information

For PCI DSS compliance questions or to report security concerns:

Security Team: security@securepointafrica.com

Compliance Officer: compliance@securepointafrica.com

Phone: +1 (555) 123-4567

Emergency Hotline: +1 (555) 999-SECU (7328)

✅ PCI DSS Compliance Statement

SecurePointAfrica maintains compliance with PCI DSS requirements through our use of certified payment processors and implementation of appropriate security controls. We do not store, process, or transmit payment card data directly, ensuring maximum security for our customers' financial information.