Customer payment data. Never your liability.

Several layers working together. Card numbers are tokenized at capture and never touch your systems. Data is encrypted in transit via TLS 1.2 or higher, and at rest. Access is role-based across four permission levels, logged, and protected by MFA. Our security team monitors continuously and runs incident response on call.

PCI-DSS is the security standard every company that handles credit card data must meet. Alternative Payments is certified at Level 1, the highest tier, which means we have been independently audited against the full standard. When you process through Alternative Payments, the scope of your own PCI obligations shrinks, because the sensitive data never lives on your side.

SOC 2 Type 2 is an independent audit of how a company operates its security, availability, and confidentiality controls over a sustained period. Type 2 means the auditor verified the controls were working over time, not just on a single day. Alternative Payments completes a SOC 2 Type 2 audit every year. The full report is available under NDA.

Yes, when it is built right. Alternative Payments runs on Amazon Web Services, which is itself SOC 2, ISO 27001, and PCI-DSS-certified. We layer our own controls on top: tokenization, encryption via TLS 1.2 or higher, role-based access across four permission levels, MFA, and continuous monitoring. The result is a stronger security posture than most service businesses could build on their own.

Card numbers are tokenized at capture. The actual card number is replaced with a token and routed directly to the card networks. Your team never sees the full number. We never store the full number. If our system were breached, there is no usable card data to take.

Yes. MFA is available on both the partner dashboard and the Customer Portal. Partners and their customers can set it up using any TOTP-compatible authenticator app, including Google Authenticator, Microsoft Authenticator, Authy, and 1Password.