Security

Defence-in-depth for payments infrastructure

Cardholder data, merchant credentials and orchestration logic are protected by layered controls — from network segmentation through to per-request authorization.

Cardholder data & the vault

Card numbers (PANs) entered through VeloxaPay-hosted fields or our server-to-server API are tokenized inside a PCI-DSS scoped vault. The PAN never reaches merchant systems and never appears in logs, queues, analytics, backups or support tooling. Tokens are merchant-bound and PSP-agnostic — the same token can be used at any connected acquirer.

Encryption

  • TLS 1.2+ enforced on every public endpoint; HSTS, modern cipher suites only.
  • AES-256 at rest for primary stores and backups; per-tenant data keys wrapped by KMS-managed master keys.
  • Hardware-backed key custody; quarterly rotation; dual-control destruction of retired keys.

Access control

  • Single sign-on with hardware-key MFA mandatory for all staff.
  • Just-in-time, time-boxed production access; every action logged to an append-only audit store.
  • Least-privilege IAM, reviewed quarterly. No shared accounts. No long-lived production credentials on laptops.

Network & infrastructure

  • Segmented VPCs separating the cardholder data environment from corporate, analytics and CI networks.
  • WAF, anti-bot and rate limiting at the edge; volumetric DDoS protection upstream.
  • Multi-region active-active deployment with automated failover; RPO ≤ 1 minute, RTO ≤ 15 minutes.

Application security

  • Mandatory peer review and SAST/DAST gates on every merge.
  • Continuous dependency and container scanning; signed builds and immutable deploys.
  • Annual penetration tests by an independent third party; remediation tracked publicly to executives.

Monitoring & incident response

A 24/7 on-call rotation watches over routing, authorization and fraud signals. Security telemetry is correlated in a SIEM with automated detections for credential misuse, anomalous API patterns and exfiltration attempts. Confirmed incidents follow a documented response runbook with merchant notifications inside the contractual SLA.

Responsible disclosure

We welcome security researchers. Report findings to security@veloxapay.com. Please do not test against production merchant traffic and give us reasonable time to remediate before public disclosure. We acknowledge every valid report and offer recognition for high-impact findings.