Compliance is a continuous process, not a milestone
The first time your platform gets a scheme letter demanding an action within fourteen days, you realise compliance isn’t a one-off go-live step. Visa publishes roughly 240 operational bulletins a year across AP region alone. Mastercard’s Rule Manual updates quarterly. PCI DSS v4.0 transitions controls until 2028. MAS, BSP, BNM, BOT, BI, SBV, FSC Korea, each publishes its own payment-system regulations in its own language on its own cadence. Reading all of that and doing nothing about it requires a full-time specialist. Acting on it requires a team.
Tap Certify is that team. We read. We triage. We draft. We file. We respond to regulator follow-ups. We keep the evidence library audit-ready. Your engineers don’t see a bulletin, they see a Jira ticket, already scoped, for the one scheme change that needs a code edit.
What Tap Certify covers
Scheme operating rules
- Bulletin monitoring & quarterly impact reports
- Annual scheme compliance attestation
- VAMP / AER / MATCH program responses
- Chargeback & dispute policy alignment
- BIN assignment & expansion filings
Technical certifications
- EMVCo L1, L2, L3 re-cert on kernel updates
- PCI DSS annual on-site assessment
- PCI MPoC, P2PE, PIN Security audits
- SOC 2 Type II, ISO 27001, ISO 22301
- 3DS 2.x scheme directory registration
Central-bank & regulator
- Payment services licences & renewals
- Periodic regulatory returns (quarterly, annual)
- FX, AML/CFT, and e-money filings
- Sanctions screening programme attestations
- Incident notifications within regulator SLA
How we work with your team
Tap Certify is a managed service with a portal attached, not a portal with humans on call. Every platform customer is assigned a named compliance lead who sits in your Slack and knows your product shape. They surface the things that need your attention, hold back the things that don’t, and handle the long tail of specialist correspondence that would otherwise become your problem.
- Weekly bulletin digest, filtered for things your markets and product actually touch, with a recommended action on each.
- Quarterly control review, a 45-minute readout of what’s changed, what’s been filed, and what needs a decision from you.
- Annual attestation cycle, we prepare every scheme, PCI, and regulator attestation your platform signs; you review and sign.
- Incident response, when something breaks, we handle the scheme and regulator notifications in parallel with your engineering response. One less thing to think about at 3am.
The evidence library
Every filing, every audit report, every scheme attestation, and every piece of regulator correspondence we handle for you lives in a structured, searchable evidence library your compliance team can access at any time. When a customer’s enterprise InfoSec questionnaire lands on your desk asking for your SOC 2 Type II report, your PCI AoC, and your PS Act registration number, three clicks, three PDFs, done. When a scheme auditor calls for a pre-arranged control walk-through in March, every document they’ll ask about is already in the binder.
Why this matters to your board
Two things kill a payment platform: a scheme membership suspension and a central-bank stop-work order. Both are preceded, in almost every case, by documented evidence of missed filings or unresolved bulletin responses. Tap Certify exists because this is the kind of work that looks unimportant right up until the month it’s the only thing that matters, and no platform we’ve ever worked with has regretted outsourcing it to people who do nothing else.
Frequently asked questions
Do we have to use Tap Certify if we use Tap Core?+
Tap Core’s own certifications (EMVCo L1/L2/L3, PCI MPoC, PCI DSS for the hosting environment) are included, you don’t pay for those separately. Tap Certify is the add-on for your platform’s attestations, regulator filings, and scheme-compliance work that sit on top.
Can you work with our existing QSA or law firm?+
Yes. Many enterprise customers keep their own QSA and outside counsel; Tap Certify coordinates directly with them, provides the evidence they need, and handles the scheme- and regulator-facing correspondence where we have first-hand knowledge.
What languages do you file in?+
English, Japanese, Thai, Vietnamese, Bahasa Indonesia, Bahasa Malaysia, Tagalog, and Korean, all regulator submissions are drafted and filed in the local official language by native speakers on our compliance team.
Is Tap Certify available for platforms not using Tap Core?+
Yes. A number of Tap Certify customers are established acquirers or PSPs who license only the compliance service, because keeping up with APAC scheme and regulator filings is expensive to staff, even when the underlying payment engine is yours.
What’s the SLA if the regulator demands a response?+
Four business hours for initial triage, scheme-specified or regulator-specified deadline for full response. Every incoming communication is logged, assigned, and tracked to close, with your account lead on copy.