Data Compliance

What is PCI-DSS?

The Payment Card Industry Data Security Standard (PCI-DSS) is an information security standard for organizations that handle primary account numbers (PANs) and other cardholder data from major card schemes such as Visa and Mastercard. The standard is administered by the Payment Card Industry Security Standards Council and exists to reduce credit card fraud through consistent security controls.

Abrantix and PCI-DSS

 Payment security is at the core of what Abrantix does. Our teams have extensive experience designing, implementing, and auditing payment systems that operate within PCI-DSS scope. Abrantix products and services are built with PCI-DSS requirements in mind from the ground up. Where our solutions touch cardholder data environments, we apply the technical and organizational controls required by the standard.

Payment Platform: in PCI-DSS scope

The Abrantix Payment Platform processes cardholder data as part of its core function and operates fully within PCI-DSS scope. The Payment Platform is designed and maintained in accordance with PCI-DSS requirements, ensuring that all handling of PANs and related data meets the security standards mandated by the card schemes.

ReconHub: out of PCI-DSS scope

ReconHub does not process complete PANs, cryptographic key material, or other PCI-relevant cardholder data. It is therefore out of scope for PCI-DSS.

Where ReconHub receives transaction data that includes card information, PANs are either absent or already truncated by the upstream data provider, in line with their own PCI compliance obligations. These providers include POS solution providers, payment processors, and payment service providers.

In specific cases, such as ep2 transactions, ReconHub may receive enciphered PANs as part of a transaction receipt. In these situations, Abrantix does not hold or have access to the key material needed to decrypt the data. Responsibility for the PCI compliance of enciphered PANs lies with the data provider — in the ep2 case, the payment terminal.

ReconHub and PCI

What is PCI-PIN?

The PCI PIN Security Standard defines requirements for the secure management, processing, and transmission of personal identification numbers (PINs) during card-based payment transactions. It applies specifically to organizations involved in the acceptance and processing of PIN-based payments — primarily through payment terminals and other point-of-interaction (POI) devices. The standard covers how PINs are entered, encrypted, and transmitted, as well as the management of the encryption keys that protect PIN data end-to-end. Like PCI-DSS, it is administered by the Payment Card Industry Security Standards Council. 

Payment Platform Processing: PCI-PIN certified

The Abrantix Payment Platform Processing operates as a PIN-processing environment and is PCI-PIN certified. This confirms that all PIN handling within the processing infrastructure meets the security requirements mandated by the payment industry for the secure transmission and management of encrypted PIN data.

Payment Acceptance: PCI-PIN certified

Abrantix's Payment Acceptance solutions, including terminal software and point-of-interaction implementations, are PCI-PIN certified. This gives you the assurance that PIN entry, encryption, and transmission, as well as key loading and key exchange within the acceptance environment, comply with the highest security standards required by the card schemes.

What is SOC 1 Type 2?

 A SOC 1 Type 2 report is an independent audit that confirms a service provider's internal controls relevant to financial reporting are properly designed and effective in practice. The Type 2 designation is key: the auditor does not simply verify that controls exist on paper. They test whether those controls operated effectively over a defined period. 

ReconHub is SOC 1 Type 2 audited

SOC 1 Type 2 is a product-level certification. At Abrantix, it applies specifically to ReconHub — not to Abrantix as a company. ReconHub has successfully completed a SOC 1 Type 2 audit, with controls independently tested over a twelve-month period.

This is relevant because ReconHub sits between your operational transaction systems — point-of-sale, payment service providers — and your general ledger. The accuracy and reliability of its reconciliation output directly affects your financial reporting. The SOC 1 Type 2 report gives you and your auditors independent confirmation that these processes are built on solid, tested controls across six areas: data security and access, system availability, financial interfaces, change management, incident handling, and audit trails.

Your external auditor can rely on the SOC 1 Type 2 report rather than auditing ReconHub independently, reducing both audit effort and cost. The documented effectiveness of ReconHub's controls also reduces inherent risk in your financial reporting. For regulated industries or listed companies, the report fulfills the requirement for evidence of effective controls at critical service providers.

The report is available upon request under NDA for customers, auditors, and partners. Contact us to request access.

Factsheet SOC 1 Type 2 Report

What are Technical and Organizational Measures?

Technical and Organizational Measures (TOM) are the concrete steps an organization takes to protect personal data — both through technical systems and internal processes. Implementing effective TOM is a core requirement under both the EU General Data Protection Regulation (GDPR) and Swiss data protection law (DSG/DSV).

How Abrantix applies TOM

Abrantix's TOM apply to all personal data processed within its systems, platforms, and processes — covering customers, partners, employees, and all other data subjects. The measures are designed to ensure that data protection is not an afterthought, but is built into how we operate from the ground up.

Our approach is guided by four key principles:

• Confidentiality, integrity, availability, and recoverability — Personal data is protected from unauthorized access, kept accurate, accessible when needed, and recoverable in the event of an incident.

• Risk-based and proportionate — Measures are scaled to the sensitivity of the data and the risks involved, ensuring effort and protection are always appropriate.

• Privacy by design and by default — Data protection is embedded into technical systems and processes from the start, applying least-privilege and need-to-know principles throughout.

• Traceability and accountability — Actions involving personal data are documented, and responsibilities are clearly assigned.

The adequacy of our TOM is reviewed on a regular basis and adjusted as needed to reflect changes in technology, regulation, and risk. The full TOM documentation is available upon request — contact our Data Protection Officer.

What Is a Subprocessor?

To deliver its services, Abrantix works with a limited number of third-party vendors who may access customer data as part of their service. These vendors are called subprocessors. We select them carefully and hold them to the same data protection standards we apply to ourselves.

Current Subprocessors

Abrantix Group Entities

The following Abrantix entities may act as data processors or subprocessors depending on your service agreement:

• Abrantix AG, Switzerland
• Abrantix Deutschland GmbH, Germany
• Abrantix Pty Ltd., Australia
• Abrantix d.o.o. Koper, Slovenia

If you have questions about our subprocessor list or data processing agreements, contact us.

For any questions about the compliance topics covered on this page — including GDPR, CH-FADP, ISO 27001, PCI-DSS, or data protection in general — reach out to our Data Protection Officer directly: 

• Mirko Oberholzer, Abrantix AG, Switzerland, dpo@abrantix.com

• Matthieu Michel, EU Representative, Abrantix Deutschland GmbH, Germany, dpo.eu@abrantix.com