Compliance

Built to meet card scheme and regulatory expectations

VeloxaPay is a payment orchestration and technology platform. We do not acquire funds or issue e-money — but we operate to the standards that the providers we connect to require.

Regulatory model

VeloxaPay is operated by HD ENTERPRISE CO., LIMITED, a Hong Kong incorporated technology company. Funds settle through merchants' own contracted PSPs and acquiring banks under those providers' licences. VeloxaPay does not take custody of merchant or end-customer funds and is not a deposit-taking institution.

PCI-DSS

The card data environment is operated as a Level 1 service provider scope, with annual external assessment by a Qualified Security Assessor (QSA) currently in progress. Cardholder data is restricted to the tokenization vault and forwarded to acquirers over mutually-authenticated TLS. SAQ-A is achievable for merchants using our hosted fields integration.

PSD2 / SCA

For EEA and UK card flows, VeloxaPay supports 3-D Secure 2.x, frictionless authentication, and exemption logic (low value, TRA, MIT) at the routing layer. Authentication outcomes are stored against each transaction so merchants can prove compliance to acquirers and schemes.

Data protection — GDPR & PDPO

  • VeloxaPay acts as a data processor for merchant personal data and a controller for service-operations data only.
  • EU/UK data flows are covered by Standard Contractual Clauses and the UK IDTA where applicable.
  • Subject access, deletion and portability requests are routed to merchants and supported by privileged tooling.
  • Hong Kong activities are governed by the Personal Data (Privacy) Ordinance (PDPO).

Sanctions & AML

We screen merchant principals at onboarding against UN, EU, UK (HMT/OFSI), US (OFAC) and HKMA sanctions lists, with ongoing rescreening. Suspicious activity escalations follow a documented procedure aligned to Hong Kong AMLO guidance. Merchants are contractually required to operate their own KYC/AML programme over their end-customers.

Card scheme rules

VeloxaPay integrations are designed to keep merchants compliant with Visa, Mastercard, American Express, JCB, Discover and UnionPay rules — including descriptor formatting, MCC integrity, MIT/CIT flagging, account updater, and Visa/Mastercard chargeback monitoring programs.

Documentation

Existing merchants and prospects under NDA can request our DPA, sub-processor list, SOC roadmap, PCI AOC (when issued), and pen-test executive summary from compliance@veloxapay.com.