Vapulus is fully PCI DSS 3.2 compliant as a Level 1 Service Provider, the top security standard for the payments industry.


Vapulus is fully supervised by the Dutch Central Bank as a financial institution and complies with the European Union regulation applicable to the provision of payment services (Directive EU 2015/2366) and any other requirements applicable to the financial services it provides.


Vapulus is compliant with ISAE3402/SOC 1 (Service Organizational Control 1), which evaluates and tests the internal controls pertaining to financial reporting of a service organization. It shows compliance with policies and procedures of the service organization through monitoring, training, and checks on policies and procedures.



In addition, Vapulus is evaluated for PCI DSS by PSC, a QSA for the Payment Card Industry Security Standards Council. Our PCI ASV is Qualys. As a principal member and licensed acquirer of Visa and MasterCard, Vapulus also adheres to the card schemes’ operating regulations. Visa, MasterCard and the banks we partner with have the right to subject Vapulus to yearly audits.


Vapulus maintains the highest secure standards by operating independent anti-DDOS solutions from two different vendors. For the secure storage of cryptographic keys, Vapulus uses HSMs to which no individual access is granted.