PCI L1 Card data never lands on your servers

Security that keeps your scope small

The fields that touch a card are served and tokenized by Naturpay, so raw pan, expiry and CVC never reach your backend. You ship the experience; we carry the regulated surface — PCI DSS Level 1, strong customer authentication, network tokens and signed events included.

See how isolation works Request our AOC

Your PCI scope stays SAQ A TLS 1.3 in transit, AES-256 at rest Signed, replayable webhooks

tok_visa_9f2c createdcard never left the field

3-D Secure passedchallenge handled inline

shop.yourstore.dev/checkout

Card · served by natur-pay.com €96.00

•••• •••• •••• 4242

•• / •••••

Tokenize and pay

// what crosses to your backend
{
  method: 'tok_visa_9f2c4e',
  brand:  'visa',
  last4:  '4242',
  // no pan, no cvc — ever
}

Audited and aligned to

PCI DSS 4.0SOC 2 TYPE IIISO 27001PSD2 SCAGDPR

How isolation works

The card field is ours, the page is yours

When you mount the payment element, the sensitive inputs are rendered from natur-pay.com inside an isolated frame. Keystrokes stay in that boundary, get encrypted at the edge and are exchanged for a single-use token before anything reaches your code. Your form, your styles and your validation surround it, but the raw number is never in your DOM or your logs.

The buyer types into fields served by Naturpay, not your origin.
Card data is encrypted in the browser and tokenized at our edge.
Your server only ever sees a token, brand and last four digits.
Because raw card data is out of scope, you qualify for SAQ A.

Read the integration guide

Controls and guarantees

The protections running underneath your checkout

Every flow that moves a payment passes through layered controls you do not have to build or maintain. They are on by default, versioned and covered by our audits.

PCI DSS Level 1

Naturpay is assessed as a Level 1 service provider, the strictest tier. Because the card fields and vault are ours, your integration inherits that posture and stays at SAQ A.

Annual AOC on request

SCA / 3-D Secure inline

The SDK runs the full 3-D Secure 2 flow without leaving your page and only raises a challenge when the issuer or PSD2 requires one. You confirm the intent and branch on a clear result.

Frictionless when allowed

Network tokenization

Stored cards are replaced with network tokens from the card schemes, so a saved credential keeps working through reissues and is useless if intercepted. Authorization rates improve as a side effect.

Visa · Mastercard · Amex

Encryption in transit and at rest

Traffic is served over TLS 1.3 with HSTS, and stored data is encrypted with AES-256. Card numbers live only in an isolated vault behind tokenization, never in application databases.

TLS 1.3 · AES-256

Signed webhooks

Every event carries an HMAC signature and a timestamp you verify with one SDK call, which stops forged or replayed deliveries. Events are durable and replayable, so a dropped request never desyncs your ledger.

HMAC · replay window

Access controls and audit logs

Dashboard access uses scoped roles, mandatory two-factor and SSO, while API keys are scoped, rotatable and restrictable by IP. Every key use and dashboard action is written to an immutable, exportable audit log.

RBAC · 2FA · SSO

webhook handler

// reject anything not signed by us
const event = wv.webhooks.verify(
  rawBody,
  req.headers['wv-signature'],
  process.env.WV_WHSEC,
  { tolerance: 300 } // 5 min replay window
);

if (event.type === 'payment.succeeded') {
  await fulfill(event.data.intent);
}
// throws on bad sig or stale timestamp

Operations and resilience

Built to fail closed, not loud

The payments path is isolated per environment, deployed continuously and monitored around the clock. Secrets are managed in a hardware-backed store, infrastructure is described as code and reviewed, and we rehearse recovery so an incident is a runbook rather than a scramble.

Strict isolation between test and live keys, data and traffic.
Continuous dependency scanning and an independent annual penetration test.
Encrypted backups with tested restores and a documented RTO and RPO.
A coordinated disclosure program and a public status page for incidents.

Ask for our security pack

What it means for your scope

Less surface to defend and prove

Card numbers on your servers

Raw pan and CVC are tokenized before they leave the browser and never reach your code or storage.

SAQ A

The questionnaire you fill in

The shortest PCI self-assessment, because the regulated fields live with us, not you.

256-bit

Encryption at rest

AES-256 for stored data, with keys rotated and managed in a hardware-backed vault.

24/7

Monitoring and on-call

Anomaly detection on the payments path with a follow-the-sun rotation behind it.

Security questions

What a security reviewer asks us

Will adopting Naturpay reduce my PCI scope?

Yes. Because the card fields are served from our domain in an isolated frame and tokenized before submission, raw card data never enters your environment. That places a typical embedded integration at SAQ A, the lightest self-assessment, while you keep full control of the surrounding UI.

Where is cardholder data stored, and can I hold the raw number?

Card numbers are stored only in our isolated vault and represented to you as tokens. You receive the brand, expiry month and last four digits for display and reconciliation, never the full pan or CVC. There is no setting that exposes raw card data to your application.

Which certifications and reports can you share?

We can provide our PCI DSS Attestation of Compliance and a SOC 2 Type II report under NDA, along with a security overview and the most recent independent penetration test summary. Reach out and our team will share the current package.

How do you handle strong customer authentication?

The SDK runs 3-D Secure 2 inline and applies exemptions where the rules allow, so genuine buyers usually pass without friction and a challenge appears only when the issuer or regulation demands it. You confirm the intent and the authentication result comes back as part of the response.

How are webhooks protected against forgery?

Each delivery is signed with an HMAC over the payload and a timestamp. A single verify call checks the signature and rejects anything outside a short tolerance window, which blocks forged and replayed requests. Events are also durable and replayable so you can recover from an outage without gaps.

How do you manage API keys and access?

Secret keys are scoped, rotatable and can be restricted to specific IP ranges, and publishable keys carry no privileged access. Dashboard access uses role-based permissions with mandatory two-factor and optional SSO, and every action is captured in an exportable audit log.

How do you report and respond to incidents?

We run a coordinated vulnerability disclosure program and publish uptime and incidents on a public status page. If an incident affects you, we notify impacted accounts with a timeline and remediation steps in line with our contractual and regulatory obligations.

Ship a checkout your security team signs off on

Keep card data out of your stack, inherit a Level 1 posture and hand your reviewers a clean SAQ A story. Start in test mode today, or talk to an engineer about your compliance requirements.

Read the docs Talk to an engineer