PCI Compliance at Tapped
Tapped holds PCI-DSS Level 1 service-provider attestation and carries the scheme-level PCI PIN, 3DS, CPoC, and SPoC certifications required to operate a tap-to-pay network. This page summarises the scope of our attestation, the responsibility split with our platform customers, and how to get our documents.
Tapped is a PCI-DSS Level 1 service provider. That is the highest validation level for entities that store, process, or transmit cardholder data on behalf of others. An external Qualified Security Assessor (QSA) validates our compliance every year and issues an Attestation of Compliance (AoC). We also undergo quarterly external ASV scans.
As a tap-to-pay infrastructure provider we hold several scheme-specific certifications beyond the baseline. PCI PIN covers cardholder-PIN protection, PCI 3DS covers the authentication server and access control components, SPoC and CPoC cover software-based PIN entry and contactless acceptance on consumer devices. Each is audited separately and has its own evidence package.
You can shrink your PCI-DSS footprint to almost zero by integrating Tapped correctly. Our SDKs are designed so that no cardholder data passes through your servers; the card number, expiry, CVV, and PIN never leave the certified enclave on the device before travelling to Tapped over a TLS 1.3 channel. That reduces most platform integrations from the full SAQ D workload to SAQ A.
Shared responsibility
Who does what, by PCI-DSS requirement. This is the summarised view; the full matrix is delivered alongside our AoC under NDA. T = Tapped responsibility, P = Platform responsibility, S = Shared.
| PCI-DSS domain | Scope | Responsibility |
|---|---|---|
| 1. Firewall & network segmentation | Between Tapped and the cardholder data environment | T |
| 2. Secure default configurations | Tapped-owned systems and SDKs | T |
| 3. Stored cardholder data | We don’t pass it back; you don’t store it | T |
| 4. Encryption in transit | TLS 1.3 from device → Tapped → scheme | T |
| 5. Anti-malware on your admin workstations | Your corporate IT | P |
| 6. Secure software development | Your integration code + our SDK | S |
| 7. Access control, need to know | Tapped Dashboard permissions you configure | S |
| 8. User identification & auth | SSO, MFA, role-based access | S |
| 9. Physical security | Your offices / terminals if applicable | P |
| 10. Logging & audit | Tapped side: covered. Your side: your access to our dashboard | S |
| 11. Security testing | Annual pentest of the combined solution | S |
| 12. Information security policy | Your own policy, referencing this responsibility matrix | P |
Frequently asked
What SAQ applies to my platform?
If you integrate the Tap Terminal SDK as documented and do not surface raw card data in your own UI or servers, you almost always qualify for SAQ A as a merchant-initiated transaction with full outsourcing of the cardholder data environment. A handful of complex integrations (for example, custom PAN entry for card-on-file scenarios) stay at SAQ A-EP or D. Your acquiring bank makes the final call; we’re happy to review your integration with your QSA.
How do I get a copy of the Tapped AoC?
Email hello@tapped.cc with your company name, intended use, and the name of any QSA or auditor who will also receive it. We send the AoC and the responsibility matrix within one business day under a short confidentiality cover letter; paying customers can also download these from the dashboard.
Is Tapped on the Visa Global Registry and the Mastercard SDP list?
Yes, Tapped Pte Ltd is listed in both registries as a compliant service provider. Direct links are in the footer of our AoC and on the Licences page with the scheme registration IDs.
Do you store full card numbers?
Only where a merchant has a documented business reason (recurring billing, card-on-file, dispute handling) and the end customer has consented. Storage uses PCI-DSS requirement 3.5-compliant encryption with tokenisation available as the default, so your systems only see tokens. Merchants can opt out of storage entirely.
What happens if you have a breach?
We notify your designated security contact within 72 hours of confirming a breach that affects your cardholder data. We work with the schemes and affected regulators on any mandated notifications. Our DPA sets out the contractual obligations; our security page describes the incident-response operation.
What does “PIN-on-Glass” actually mean for compliance?
PIN entry happens inside a secure software keyboard that Tapped provides as a certified SDK, PCI SPoC v2 in most markets. The PIN never enters your app’s memory space and is encrypted with a key that only the HSM downstream can unwrap. It is functionally equivalent to a PIN entered on a hardware terminal for liability purposes.
How does Tapped support my own PCI audit?
Customers on any plan get a shared-responsibility workbook, a sample RoC narrative for the Tapped dependency, and an assessor-to-assessor call with our QSA at no cost once per audit cycle. Enterprise plans include a named compliance engineer for the duration of your audit.
Need our AoC, RoC, or pentest report?
All three are available to prospects under a short NDA and to customers directly from the dashboard. Your audit will move faster when ours is already on the desk.