Skip to content
NeuralPay NeuralPay

Compliance: PSD2, SCA, PCI DSS and GDPR

European merchants don't get to treat regulation as an afterthought — so neither do we. This page is written for your compliance reviewer. Short version: NeuralPay never enters the flow of funds, which means your regulatory position doesn't move.

The load-bearing fact

NeuralPay is a technical service provider. We route orders, verify agent identities and sync catalogues — we do not receive, hold, transmit or settle funds. Ever.

Payment continues to run between the customer's payment credential, the agent operator's payment flow, and your existing regulated payment service provider. Because no funds pass through NeuralPay, using it does not change your licensing requirements or ours.

What changes, what doesn't

  • Unchanged

    Who processes the payment

    Your PSP, unchanged

  • Unchanged

    Where money settles

    Your bank account, via your PSP

  • Unchanged

    Your PCI DSS scope

    Unchanged — we never see card data

  • Unchanged

    Your PSD2 / licensing position

    Unchanged — we are not in the flow of funds

  • New

    Who can order from your store

    Humans, plus verified AI agents you allow

  • New

    Order metadata processing

    NeuralPay processes order + verification data (GDPR-governed)

PSD2 Payment Services Directive

PSD2 regulates entities that provide payment services. NeuralPay provides none: we do not initiate payments on the customer's behalf, aggregate accounts, or acquire transactions. The regulated activities remain exactly where they are today — with your PSP and, on the agent side, with the operator's payment partners. Your contractual relationship with your PSP is untouched, and no new payment institution enters your chain.

SCA Strong Customer Authentication

"How can an agent pay if the customer must authenticate?" — the right question, with a standardised answer. In agentic payment flows, the customer authenticates when authorising the agent (creating a tokenised credential or signed mandate, per frameworks like Google's AP2 and the ACP delegated-payment spec); your PSP then applies SCA and exemption logic exactly as the regulation requires. NeuralPay validates the agent's identity and mandate evidence before the order reaches you — it never performs, replaces or bypasses authentication.

PCI DSS Card data security

NeuralPay never sees, stores, processes or transmits cardholder data. Payment credentials stay between the customer, the agent operator's payment flow and your PSP — typically as network tokens. Your PCI DSS scope and SAQ level are therefore unchanged by installing NeuralPay, and we have no card-data environment to certify.

GDPR Data protection

NeuralPay processes order metadata (items, amounts, shipping region), agent verification records, and the merchant account data you give us — under a data processing agreement, on infrastructure hosted in the EU. We don't process payment credentials, we practise data minimisation by design, and our sub-processor list is short and published. The details live in the data processing agreement and privacy policy.

For your compliance team

We'll happily walk your DPO or compliance reviewer through the architecture, provide the DPA for countersignature, and answer security questionnaires. That conversation slows nothing down — we'd rather win the review than dodge it. Start it here →

Questions from your compliance team?

No funds flow, no card data, no scope creep — bring your toughest reviewer.