Compliance: PSD2, SCA, PCI DSS and GDPR
European merchants don't get to treat regulation as an afterthought — so neither do we. This page is written for your compliance reviewer. Short version: NeuralPay never enters the flow of funds, which means your regulatory position doesn't move.
The load-bearing fact
NeuralPay is a technical service provider. We route orders, verify agent identities and sync catalogues — we do not receive, hold, transmit or settle funds. Ever.
Payment continues to run between the customer's payment credential, the agent operator's payment flow, and your existing regulated payment service provider. Because no funds pass through NeuralPay, using it does not change your licensing requirements or ours.
What changes, what doesn't
- Unchanged
Who processes the payment
Your PSP, unchanged
- Unchanged
Where money settles
Your bank account, via your PSP
- Unchanged
Your PCI DSS scope
Unchanged — we never see card data
- Unchanged
Your PSD2 / licensing position
Unchanged — we are not in the flow of funds
- New
Who can order from your store
Humans, plus verified AI agents you allow
- New
Order metadata processing
NeuralPay processes order + verification data (GDPR-governed)
PSD2 Payment Services Directive
PSD2 regulates entities that provide payment services. NeuralPay provides none: we do not initiate payments on the customer's behalf, aggregate accounts, or acquire transactions. The regulated activities remain exactly where they are today — with your PSP and, on the agent side, with the operator's payment partners. Your contractual relationship with your PSP is untouched, and no new payment institution enters your chain.
SCA Strong Customer Authentication
"How can an agent pay if the customer must authenticate?" — the right question, with a standardised answer. In agentic payment flows, the customer authenticates when authorising the agent (creating a tokenised credential or signed mandate, per frameworks like Google's AP2 and the ACP delegated-payment spec); your PSP then applies SCA and exemption logic exactly as the regulation requires. NeuralPay validates the agent's identity and mandate evidence before the order reaches you — it never performs, replaces or bypasses authentication.
PCI DSS Card data security
NeuralPay never sees, stores, processes or transmits cardholder data. Payment credentials stay between the customer, the agent operator's payment flow and your PSP — typically as network tokens. Your PCI DSS scope and SAQ level are therefore unchanged by installing NeuralPay, and we have no card-data environment to certify.
GDPR Data protection
NeuralPay processes order metadata (items, amounts, shipping region), agent verification records, and the merchant account data you give us — under a data processing agreement, on infrastructure hosted in the EU. We don't process payment credentials, we practise data minimisation by design, and our sub-processor list is short and published. The details live in the data processing agreement and privacy policy.
For your compliance team
We'll happily walk your DPO or compliance reviewer through the architecture, provide the DPA for countersignature, and answer security questionnaires. That conversation slows nothing down — we'd rather win the review than dodge it. Start it here →
Questions from your compliance team?
No funds flow, no card data, no scope creep — bring your toughest reviewer.