Start free
Security Bank-grade, plainly explained

Serious security, in plain words.

Your customers' card details and your money deserve the highest bar — so we hold it, and we explain it without the jargon. Here's exactly how Korumiapay keeps everything safe, certified by the people whose job is to check.

PCI DSS L1The highest card-data standard — your customers never trust us with less.
SOC 2 Type IIIndependently audited controls for security, availability and privacy.
PSD2 SCAStrong customer authentication, handled for you where Europe requires it.
GDPREU data protection by design, with data stored in European regions.
01 Compliance, done for you

The hard rules, kept off your plate.

Card data never touches your servers — it goes straight to Korumiapay, tokenised, so the heaviest compliance burden simply isn't yours to carry. We keep the certifications current and renew them on schedule, so you don't have to think about any of it.

  • You stay out of PCI scope — card details are captured by us, never stored by you.
  • SCA handled automatically — 3-D Secure prompts only when they're actually needed.
  • Identity checks built in — KYC and sanctions screening run quietly during onboarding.
  • Always current — we renew PCI, SOC 2 and ISO on schedule, every year.
Card Token Your shop Sees the token, never the card
02 Encryption everywhere

Locked in transit, locked at rest.

Every byte that moves between your shop, your customer and Korumiapay travels over modern TLS. Everything we store is encrypted on disk with keys we rotate regularly and guard in a hardware vault. Access is logged, least-privilege, and reviewed.

  • TLS 1.3 in transit — nothing sensitive crosses the wire in the clear.
  • AES-256 at rest — stored data is encrypted with regularly rotated keys.
  • Hardware-backed keys — key material lives in an HSM, never in our code.
  • Logged access — every touch of sensitive data is recorded and reviewed.
03 Trust center

What we'll happily show you.

Security you can't inspect is just a promise. We publish our status, share our audit reports under a simple NDA, and run a real-world vulnerability disclosure programme. If something breaks, you'll hear it from us, clearly and quickly.

  • Live status page — uptime and incidents, in the open, in real time.
  • Audit reports on request — SOC 2, PCI AOC and ISO certificates under NDA.
  • Responsible disclosure — a security.txt at our root and a researcher programme.
  • Honest incident comms — plain-language updates, never buried in legalese.
Request our reports
OperationalPayments API100%
OperationalCheckout100%
OperationalPayouts100%
OperationalDashboard99.99%

Need the full report?

Send us a note and we'll share our SOC 2 Type II report, PCI attestation and ISO certificates under a simple NDA — usually the same working day.

Request the reports Email security