Tapaya
SecurityData Protection & Privacy

Data Protection & Privacy

Tapaya Accept is built to maintain the highest levels of security and privacy for both payment data and personal data.

Tapaya is designed to keep payment and personal data secure while reducing your compliance responsibilities. This section outlines how Tapaya handles cardholder data and personal data in line with PCI DSS and GDPR, and what you need to do when using Tapaya Accept.

Cardholder Data Security

Tapaya implements and maintains compliance with the Payment Card Industry standards (PCI DSS and PA‑DSS) for the security of payment data. By using Tapaya Accept as provided, developers and merchants can offload almost all regulatory and technical complexity related to cardholder data to Tapaya.

Tapaya Accept is designed so that all payment card data is collected, transmitted, and stored only by Tapaya’s PCI‑validated infrastructure and payment modules. This architecture keeps merchants and developers out of PCI DSS and PA‑DSS scope for handling cardholder data, because your systems never see or store full card numbers, CVV/CVC, or other sensitive authentication data.

Solutions integrating Tapaya Accept do not need additional PCI compliance validation for cardholder data when using the standard integration paths.

As your payment volume increases, your acquirer or payment partner may request that you complete a PCI Self‑Assessment Questionnaire (SAQ). Tapaya supports you in this process and provides assistance in completing your PCI validation form, reflecting that Tapaya is responsible for storing, processing, and transmitting cardholder data in a PCI‑compliant manner.

Personal Data Security

The General Data Protection Regulation (GDPR) is the EU’s data protection law that sets strict rules on how organisations collect, use, store, and share personal data of individuals in the EU and EEA. For more details on GDPR you can refer to the official regulation text via an overview or the consolidated legal text.

Tapaya designs its products and processes to comply with GDPR, including principles such as lawfulness, fairness, transparency, data minimisation, and security, so that developers can rely on Tapaya to process payment-related personal data in a compliant way. Please see our Privacy Policy at LINK.

What do you need to do?

When you use the official Tapaya Accept modules and follow the implementation guide, you do not handle raw cardholder data and do not need your own PCI‑validated payment application. You must not attempt to intercept, store, or log card numbers, CVV/CVC, PINs, or full track data outside Tapaya’s components.

Tapaya enables payment acceptance on mobile devices. Those are inherently more exposed to malware, theft, and tampering. It is essential that the entire device environment in which Tapaya Accept runs is secure and managed in line with the Device Security requirements.

You should:

  • Integrate Tapaya only through the documented methods and avoid custom flows that bypass these controls.
  • Maintain reasonable security of your own mobile app, devices, and accounts (for example access control, patching, and protection against malware).
  • Provide and enforce your own merchant‑facing privacy notices under GDPR or equivalent laws.
  • Ensure your own privacy policy describes your role as controller and mentions Tapaya as a payment technology provider where appropriate.

Education

A guide for platforms on how to educate their merchants about payment best practices, rules, and regulations.

Device Security

Learn how Tapaya Accept SDK secures transactions against threats using advanced device integrity checks and data protection mechanisms.

On this page

Cardholder Data Security
Personal Data Security
What do you need to do?