Investor Demo Mode

· Sandbox environment · All data is simulated · No real funds or cards
Start onboarding

Compliance

Regulatory posture · PCI · BSA · Privacy

81%

13/16 Controls Compliant

Last reviewed: March 2026

13 Compliant2 In Review1 In Progress

PCI DSS Level

1

SAQ-D · Audited Jan 2026

SOC 2 Type

I

Type II in progress Q2 2026

Card Network

(3 controls)

PCI DSS Level 1

Annual SAQ-D attestation. Last audit: Jan 2026.

Compliant

Visa/MC BIN Sponsorship

BIN ranges licensed under Coastal Community Bank.

Compliant

Network Tokenization

TSP token flow certified for Apple Pay provisioning.

Compliant

Banking & Regulatory

(4 controls)

Bank Secrecy Act (BSA)

AML/KYC program in place. SAR filing threshold monitored.

Compliant

Reg E (Electronic Funds)

Error resolution procedures documented and implemented.

Compliant

Reg Z (Truth in Lending)

Applicable to credit programs. Credit partner bears obligation.

Compliant

UDAAP Review

Annual review in progress with external counsel.

In Review

Data & Privacy

(5 controls)

SOC 2 Type II

Audit scheduled for Q2 2026. Type I complete.

In Progress

CCPA Compliance

Data mapping complete. DPA templates in place.

Compliant

GDPR (if applicable)

EU data not processed. Standard contractual clauses ready.

Compliant

Encryption at Rest

AES-256. PAN data encrypted. CVV never stored at rest.

Compliant

Encryption in Transit

TLS 1.3 enforced. HSTS enabled. Certificate pinning.

Compliant

Operational

(4 controls)

Vendor Due Diligence

Lithic, Sardine, Pagaya all SOC 2 Type II certified.

Compliant

Incident Response Plan

48-hour RTO. Runbooks documented. Tabletop completed.

Compliant

Business Continuity (BCP)

Annual BCP test scheduled for Q3 2026.

In Review

Penetration Testing

Annual external pentest. Last: Feb 2026. No criticals.

Compliant

Compliance Disclosure

ShipCard operates as a technology vendor to fintech programs. Regulatory obligations (Reg E, Reg Z, BSA) are borne by the sponsoring bank and program manager. ShipCard provides technical infrastructure only and does not hold banking licenses, issue credit, or hold deposits. Compliance items marked “In Review” are advisory controls that do not create regulatory exposure for ShipCard or its customers as of the current date. This matrix is for internal tracking and investor due diligence purposes only.