PCI DSS posture & responsibility matrix
MAXFI operates as a PCI DSS Level 1 service provider. Our Attestation of Compliance (AoC) is available to prospective merchants under NDA via our contact form. The matrix below summarises which control belongs to whom; the full responsibility matrix is shipped with your DPA at signing.
| Control | MAXFI | Merchant | Notes |
|---|---|---|---|
| Card data entry UI | MAXFI | — | Hosted on maxfi-api.exezine.az; PAN never touches merchant servers. |
| Card data tokenisation | MAXFI | — | Replaced with reference id at network boundary. |
| Network segmentation | MAXFI | — | PCI CDE in isolated K8s namespace, NetworkPolicy default-deny. |
| Quarterly ASV scans | MAXFI | — | External-facing endpoints scanned by approved vendor. |
| Annual penetration test | MAXFI | — | Conducted by an independent QSA-affiliated firm. |
| Annual ROC | MAXFI | — | Report on Compliance, Level 1. |
| SAQ A (hosted scope) | — | Merchant | You complete SAQ A annually since cards never enter your servers. |
| SAQ A-EP (iframe variants) | — | Merchant | If you embed our widget on your domain. |
| Webhook signature verification | — | Merchant | Use our HMAC-SHA256 helper or replicate the recipe in /webhooks. |
| API key rotation | — | Merchant | Rotate at least quarterly via the dashboard. |
How card data flows
Customer hits your checkout_url, lands on our PCI-scoped hosted page, types card data into our DOM, our JS encrypts it before leaving the browser, our API tokenises it, the token (never the PAN) is passed to the upstream acquirer over a mutually-authenticated TLS channel. Your servers see card_last4, card_brandand a payment_id. No raw PAN, ever.
Audit logs & SOC 2
SOC 2 Type II is in progress (initial audit period: 2026-Q3 → 2027-Q2). Internal audit logs cover every CDE access, every admin action, every cryptographic key event, and are retained 2 years per PCI requirement 10.7. Logs are queryable for incident response within 1 hour.