Security

Built to pass your security review, not just your sales call.

The questions your team asks before signing with any payment processor — answered up front, not buried in a PDF you have to request three times.

Compliance & Data Protection

How we handle cardholder data

The foundational requirements for any organization that touches card data.

PCI DSS Compliance

Merchantic operates in accordance with PCI DSS requirements as a registered ISO. Attestation of Compliance and SAQ documentation are available to your security or compliance team on request.

Encryption In Transit & At Rest

All data in transit is encrypted via TLS 1.2 or higher. Sensitive data at rest is encrypted, with access limited to systems and personnel that require it.

Tokenization

Card data is tokenized at the point of entry, so raw card numbers never need to touch your systems. See our tokenization documentation for implementation detail.

Risk & Monitoring

How we watch for problems before they become losses

Underwriting is the first layer. Ongoing monitoring is the second.

Transaction Monitoring

Processing activity is monitored on an ongoing basis for patterns consistent with fraud, testing, or account takeover — not just reviewed once at onboarding.

Individual Underwriting

Every account is underwritten on its own risk profile rather than a blanket template, which means risk controls are actually matched to how your business operates.

Chargeback & Dispute Support

Dedicated support for representment and dispute response, plus guidance on the process controls that prevent chargebacks before they happen. More detail in our Resources page.

Infrastructure & Access

How the platform itself is protected

The operational controls that don’t make headlines but matter during a vendor security review.

Infrastructure Uptime

Built on redundant processing infrastructure targeting 99.99% platform uptime, with monitoring and failover in place for the systems that handle live transactions.

Least-Privilege Access

Internal access to sensitive systems and merchant data is role-based and limited to what a given team member needs to do their job.

Ongoing Vulnerability Management

Systems are regularly scanned and reviewed for vulnerabilities as part of standard operating procedure, consistent with PCI DSS requirements.

Evaluating Merchantic as part of a formal vendor security review? We’re glad to provide our Attestation of Compliance, SAQ, and answer a security questionnaire directly — reach out below and we’ll route it to the right person.

Have a security questionnaire to send us?

We'd rather answer it directly than make your team dig for a PDF. Reach out and we'll get it back to you promptly.

Contact Our Team