A checkout built to be trusted — and to clear the rules.
Orbipay is PCI DSS Level 1, tokenizes card data so it never touches your servers, and runs SCA / 3-D Secure exactly where the rules require — presented in the shopper's own language so strong authentication never feels like a foreign roadblock.
The hard parts are handled before you start
Compliance and data protection are not add-ons you switch on. They are how the checkout is built, so the burden stays off your servers and out of your roadmap.
PCI DSS Level 1
Orbipay operates at the highest PCI DSS tier and is assessed every year. Card data is captured inside our hosted fields, so your systems stay out of scope.
Audited yearlyNetwork tokenization
Card numbers are replaced with network tokens, so a stored credential is useless if exposed and a saved card keeps working when the physical card is reissued.
No raw PANSCA / 3-D Secure
Strong Customer Authentication under PSD2 runs through 3-D Secure where it is required, and is skipped where an exemption applies — so security never adds a needless step.
PSD2 readyGDPR data handling
Personal data is collected only where it is needed, processed under clear consent and handled in line with GDPR — including data-subject requests and retention limits.
Privacy by designFrom keystroke to authorization, locked down
Every payment passes through the same four stages. Card details never sit on your infrastructure at any point along the way.
Encrypted in the sheet
Card data is entered into Orbipay's hosted fields and encrypted in the shopper's browser. It is never exposed to your page or sent to your servers.
Out of your scopeTokenized
The card number is swapped for a network token. From this point on, nothing downstream ever handles the real number — only a token that is safe to store.
PAN replacedAuthenticated where required
If the rules call for it, a 3-D Secure challenge runs in the shopper's language. Where an exemption applies, the step is skipped to keep the flow short.
Only when neededRouted to authorize
The tokenized, authenticated payment is routed to your processor for authorization. You receive the result and the token — never the underlying card data.
Token, not cardStrong auth only where the rules demand it
A challenge on every payment costs you sales; no challenge where one is required costs you compliance. Orbipay applies Strong Customer Authentication precisely — requesting 3-D Secure when the rules say so, claiming exemptions when they apply, and always in the shopper's language.
- Exemption logic claims low-risk and low-value exemptions so most payments pass without a challenge.
- Challenge in their language — when 3-D Secure does run, it reads as native, not as a foreign warning.
- Liability shift on authenticated payments moves chargeback risk where it belongs.
Customer data, kept where it should be
Selling across borders means handling personal data under more than one rulebook. Orbipay keeps the footprint small: minimal collection, clear retention, regional storage where it is required, and the controls you need to answer a data request quickly.
- EU data residency for European shoppers, with storage that stays in-region.
- Data minimization — only the fields a payment needs are collected and retained.
- Subject requests for access and erasure are supported and logged for your records.
- Encryption at rest and in transit, with access scoped and audited end to end.
Uptime is illustrative of the platform's operating target. Certifications are maintained through annual assessment.
Sell abroad on a checkout that clears the rules
Get PCI DSS Level 1, network tokenization and precise SCA out of the box — protecting shopper data and your conversion rate at the same time.