Investor Demo Mode

· Card Issuing Network (real API) · Universal Ledger (live) · No real funds moved
← Back to siteStart onboarding

Compliance

Regulatory posture · PCI · BSA · Privacy

25%

4/16 Controls Compliant

Last reviewed: March 2026

4 Compliant6 In Review6 In Progress

PCI DSS Target

L1

SAQ-D scope underway · Q4 2026

SOC 2

II

Audit scope defined · Q4 2026

Card Network

(3 controls)

PCI DSS Level 1

SAQ-D scope assessment underway. Targeting attestation Q4 2026.

In Progress

Visa/MC BIN Sponsorship

BIN ranges licensed through program sponsor bank.

Compliant

Network Tokenization

TSP certification in progress. Apple Pay provisioning pending network approval.

In Progress

Banking & Regulatory

(4 controls)

Bank Secrecy Act (BSA)

Framework documented. Regulatory obligation borne by sponsor bank under BaaS agreement.

Compliant

Reg E (Electronic Funds)

Error resolution obligations borne by sponsor bank. ShipCard policy template drafted.

In Progress

Reg Z (Truth in Lending)

Applicable to credit programs only. Credit partner bears obligation under BaaS agreement.

In Progress

UDAAP Review

Annual review in progress with external counsel.

In Review

Data & Privacy

(5 controls)

SOC 2 Type II

Audit scope defined. Type I assessment not yet initiated. Targeting Q4 2026.

In Progress

CCPA Compliance

Data inventory underway. DPA templates being finalized.

In Review

GDPR (if applicable)

EU data not currently processed. Standard contractual clauses being prepared.

In Review

Encryption at Rest

AES-256. PAN data encrypted. CVV never stored at rest.

Compliant

Encryption in Transit

TLS 1.3 enforced. HSTS enabled. Certificate pinning.

Compliant

Operational

(4 controls)

Vendor Due Diligence

Core vendors under review. Card Issuing Network and Fraud Layer maintain independent SOC 2 certifications.

In Review

Incident Response Plan

IRP template adopted. Runbooks in draft. Tabletop exercise not yet scheduled.

In Progress

Business Continuity (BCP)

Annual BCP test scheduled for Q3 2026.

In Review

Penetration Testing

Annual pentest scoped. External vendor selected. Scheduled Q2 2026.

In Review

Compliance Disclosure

ShipCard operates as a technology vendor to fintech programs. Regulatory obligations (Reg E, Reg Z, BSA) are borne by the sponsoring bank and program manager. ShipCard provides technical infrastructure only and does not hold banking licenses, issue credit, or hold deposits. Compliance items marked “In Review” are advisory controls that do not create regulatory exposure for ShipCard or its customers as of the current date. This matrix is for internal tracking and investor due diligence purposes only.