Built with financial controls from the ground up
PayNestio handles payment data, sub-merchant PII, bank account credentials, and financial settlement flows. Every layer is designed with encryption, RBAC access controls, immutable audit logging, and financial compliance controls in mind — not added on afterward. PayNestio does not hold customer funds and is not a bank; these controls exist to protect payment data in transit and at rest, not to satisfy depositor protection requirements.
Controls designed for financial infrastructure
Encryption in Transit & at Rest
All data in transit is encrypted with TLS 1.2+. Payment data, sub-merchant PII, and bank account credentials are encrypted at rest with AES-256. Card data is tokenized — no PAN stored in cleartext. Encryption keys are managed with envelope encryption and automated rotation policies.
BSA/AML Transaction Monitoring
Continuous Bank Secrecy Act-aligned anti-money laundering monitoring across all payment flows. Velocity checks, structuring pattern detection, and unusual payout behavior surface in your compliance dashboard. Alert thresholds are configurable per sub-merchant category and risk tier.
KYC/KYB-enforced Onboarding
Every sub-merchant undergoes KYC/KYB verification — including beneficial ownership identification per FinCEN CDD rules — before receiving disbursements. Risk scoring determines approval path. Declined merchants are blocked at the payment routing layer before any payout is queued.
Immutable Audit Logs
Every API call, settlement event, KYC decision, and configuration change is logged with timestamp and actor identity. Audit logs are append-only and cannot be modified — available for your compliance team via API.
Access Controls & RBAC
Platform administrators define role-based access to settlement data, compliance views, and KYC approvals. API keys scoped to resource types. MFA enforced for dashboard access. API key rotation supported without downtime.
Network Isolation
Payment processing runs in a logically isolated network segment. Inbound access is restricted to authenticated API endpoints. Internal services communicate via private networking with mTLS.
Designed with financial regulatory requirements in mind
PayNestio operates as a PayFac-as-a-Service provider in a regulated financial environment. The controls below reflect the obligations that come with facilitating payments, onboarding sub-merchants, and originating ACH transactions. PayNestio does not provide legal or compliance advice — platform partners have independent regulatory obligations that vary by vertical, jurisdiction, and business model.
PayNestio maintains an AML program aligned with BSA requirements. Transaction monitoring, SAR escalation procedures, and CDD controls are part of the baseline operations — not add-ons.
Automated 1099-K tracking, form generation, and IRS electronic filing for all qualifying sub-merchants. Designed to satisfy the IRS reporting obligations that arise when platforms facilitate payments to independent contractors.
All new sub-merchants are screened against OFAC SDN and consolidated sanctions lists during onboarding and on an ongoing basis. Matches are flagged and held before payout execution.
Card payment capture using PayNestio's hosted fields or iFrame components keeps cardholder data off your platform's servers, reducing your PCI DSS scope to SAQ A for card-not-present flows. PayNestio's payment capture infrastructure is designed with PCI DSS controls in mind. PayNestio does not hold a formal PCI DSS Level 1 certification at this stage — consult a Qualified Security Assessor (QSA) for your specific compliance requirements.
PayNestio is not a bank and does not provide money transmission licensing. Platform partners have independent compliance obligations depending on their vertical, jurisdiction, and sub-merchant base. We work with partners during onboarding to understand their compliance context — and refer complex regulatory questions to appropriate legal or compliance counsel.
We're happy to walk through our controls
For platform partners with specific compliance requirements, we offer a technical security review during onboarding.