Investor Demo Mode

· Card Issuing Network (real API) · Universal Ledger (live) · No real funds moved
← Back to siteStart onboarding

Compliance

Regulatory posture · PCI · BSA · Privacy

63%

10/16 Controls Compliant

Last reviewed: March 2026

10 Compliant3 In Review3 In Progress

PCI DSS Target

L1

SAQ-D scope underway · Q4 2026

SOC 2

II

Audit scope defined · Q4 2026

Card Network

(3 controls)

PCI DSS Level 1

SAQ-D scope assessment underway. Targeting attestation Q4 2026.

In Progress

Visa/MC BIN Sponsorship

BIN ranges licensed through program sponsor bank.

Compliant

Network Tokenization

TSP certification in progress. Apple Pay provisioning pending network approval.

In Progress

Banking & Regulatory

(4 controls)

Bank Secrecy Act (BSA)

Framework documented. Regulatory obligation borne by sponsor bank under BaaS agreement.

Compliant

Reg E (Electronic Funds)

Error resolution procedures documented and implemented.

Compliant

Reg Z (Truth in Lending)

Applicable to credit programs. Credit partner bears obligation.

Compliant

UDAAP Review

Annual review in progress with external counsel.

In Review

Data & Privacy

(5 controls)

SOC 2 Type II

Audit scope defined. Type I assessment not yet initiated. Targeting Q4 2026.

In Progress

CCPA Compliance

Data mapping complete. DPA templates in place.

Compliant

GDPR (if applicable)

EU data not processed. Standard contractual clauses ready.

Compliant

Encryption at Rest

AES-256. PAN data encrypted. CVV never stored at rest.

Compliant

Encryption in Transit

TLS 1.3 enforced. HSTS enabled. Certificate pinning.

Compliant

Operational

(4 controls)

Vendor Due Diligence

Card Issuing Network, Fraud & Identity Layer, Second-Look Underwriting all SOC 2 Type II certified.

Compliant

Incident Response Plan

48-hour RTO. Runbooks documented. Tabletop completed.

Compliant

Business Continuity (BCP)

Annual BCP test scheduled for Q3 2026.

In Review

Penetration Testing

Annual pentest scoped. External vendor selected. Scheduled Q2 2026.

In Review

Compliance Disclosure

ShipCard operates as a technology vendor to fintech programs. Regulatory obligations (Reg E, Reg Z, BSA) are borne by the sponsoring bank and program manager. ShipCard provides technical infrastructure only and does not hold banking licenses, issue credit, or hold deposits. Compliance items marked “In Review” are advisory controls that do not create regulatory exposure for ShipCard or its customers as of the current date. This matrix is for internal tracking and investor due diligence purposes only.