Prevention matters. It isn't enough on its own though. We think about resilience as the full picture: standing up to an attack, handling it properly when something does break through, and recovering without leaving our clients exposed. That mindset runs through every technical decision we make.
Our security programme draws on the NCSC Cyber Assessment Framework, the NIST Cybersecurity Framework, and the EU Cyber Resilience Act (CRA). The CRA brings in mandatory cybersecurity requirements for products with digital elements in the EU market. It's aimed mainly at hardware and software manufacturers, but its core principles — security-by-design and continuous vulnerability management — are things we've been doing for years under PCI DSS Level 1.
Our contact centre clients take payments around the clock. Downtime isn't an inconvenience for them. It's lost revenue and angry customers. So Paytia runs on redundant infrastructure with automatic failover, backed by business continuity and disaster recovery plans we actually rehearse — not just file away. We target 99.99% uptime, and we publish our real availability figures.
We don't sit and wait for threats to find us. The team tracks industry intelligence feeds, takes part in information-sharing groups, and works closely with the National Cyber Security Centre (NCSC). When a new attack trend shows up — a wave of telephony-targeted fraud, say — we're already checking our controls before it hits the news.
Our controls are built around PCI DSS Level 1, which is the same standard whether you're in London or Los Angeles. On top of that, our programme maps directly to the NIST Cybersecurity Framework (CSF 2.0)— the Identify, Protect, Detect, Respond, Recover, and Govern functions line up with the five pillars above. For US federal and critical infrastructure clients, we follow CISA guidance on secure-by-design principles, known exploited vulnerabilities, and incident reporting practices.
On breach notification, we operate a layered approach that covers the jurisdictions our clients sit in: UK ICO under UK GDPR, European supervisory authorities and ENISA under GDPR and the CRA, and in the US, the full patchwork of state attorney general notification laws (all 50 states now have one), the FTC Safeguards Rule where applicable, HHS OCRfor any incident touching HIPAA-regulated data, and SEC Regulation S-P for broker-dealers and investment advisers. Our incident response runbook drives the notification matrix so the right regulator gets contacted inside the right window — whichever country the affected clients sit in.
We've built our resilience framework around the same five pillars used by NIST and the NCSC. Here's what each one looks like in practice at Paytia.
You can't protect what you don't know about. We maintain a live asset register, run regular risk assessments, and pull in threat intelligence so we understand exactly where our exposure sits.
Defence in depth, not a single wall. Role-based access controls, encryption at rest and in transit, hardened configurations, and mandatory security training for every member of the team.
Our managed detection partner Fortra monitors 24/7. That's combined with intrusion detection, centralised log analysis, and anomaly alerting -- so if something unusual happens, we know about it fast.
When an incident does occur, there's no scrambling. Our response procedures are documented, tested, and assign clear ownership -- from initial triage through to client communication and forensic investigation.
Getting back to normal quickly matters. We maintain tested disaster recovery procedures, automated failover, and we run post-incident reviews to make sure the same thing doesn't happen twice.
The CRA sets out essential requirements for digital products. Here's how our existing controls already cover each one.
CRA Requirement
Products must be designed with appropriate cybersecurity measures from the outset.
Paytia Alignment
We didn't bolt security on after the fact. DTMF masking, end-to-end encryption, and strict data isolation have been baked into Paytia's architecture from day one -- they're core design decisions, not afterthoughts.
CRA Requirement
Manufacturers must have processes for handling vulnerabilities throughout the product lifecycle.
Paytia Alignment
We run continuous vulnerability scans alongside quarterly ASV assessments and annual penetration tests carried out by independent specialists. If something surfaces, our documented disclosure process kicks in straight away.
CRA Requirement
Products must support security updates for a defined period after placement on the market.
Paytia Alignment
Because Paytia is a cloud-hosted SaaS platform, patches go out centrally the moment they're ready. Our clients don't need to download anything or schedule downtime -- it just happens.
CRA Requirement
Actively exploited vulnerabilities and incidents must be reported to ENISA within 24 hours.
Paytia Alignment
Our incident response plan covers both PCI DSS breach reporting and the CRA's tighter 24-hour ENISA notification window. We've tested these workflows internally so they're not just documented -- they're rehearsed.
CRA Requirement
Full technical documentation demonstrating conformity with essential requirements.
Paytia Alignment
We maintain a full documentation set: PCI DSS Report on Compliance (ROC), Attestation of Compliance (AoC), detailed system architecture diagrams, and security control descriptions. Clients and regulators can request access at any time.
CRA Requirement
Products must undergo conformity assessment procedures appropriate to their risk category.
Paytia Alignment
Every year, an independent Qualified Security Assessor (QSA) puts us through a full PCI DSS Level 1 assessment. That's the highest tier of third-party validation in the payments industry -- and we've held it consistently since 2018.
Nothing reaches production without going through a structured pipeline. Here's how we keep things tight without slowing down delivery.
Every piece of work -- from a minor bug fix to a major feature -- is tracked in Asana. That gives us full traceability from the initial requirement all the way through to deployment.
Releases pass through five stages before going live: Development, Dev QA, Paytia QA Sign-off, Pre-Production Testing, and finally Live Roll-out. Nothing skips a step.
Zoho Help Desk logs every change request, approval, and release. If we ever need to trace who approved what and when, it's all there.
Security reviews and automated checks run at every stage. Vulnerability scans and quality gates catch issues early -- long before any code gets near production.
The result? Every release ships with a clear audit trail, and we can demonstrate compliance with both PCI DSS secure development requirements and CRA Annex I obligations without scrambling at assessment time.
Security isn't something you finish. Here's how we keep getting better.
Fortra runs managed detection and response for us around the clock. That means real human analysts reviewing alerts 24/7, not just automated rules firing into a dashboard nobody watches.
Our Security and Compliance team reviews daily alerts, produces weekly summaries, and tracks monthly metrics. It's a rhythm that keeps security visible at every level of the business.
We commission regular penetration tests from independent firms and run quarterly ASV scans. The findings go straight into our remediation pipeline -- not a spreadsheet that gathers dust.
Every process, every control, every piece of evidence is maintained and audit-ready. The same documentation that satisfies our PCI DSS assessors also maps cleanly to CRA Annex IV requirements.
External Authority Notification Workflow
Document Owner: Security and Compliance Manager
Approved By: Chief Information Security Officer
Version: 1.0
Effective Date: November 12, 2025
This procedure sets out exactly how we handle external authority notifications after a confirmed data breach or security incident. The goal is simple: get the right information to the right regulator within 72 hours, meeting both GDPR (Articles 33 & 34) and EU Cyber Resilience Act requirements.
Security Operations (SOC)
Detects, triages, and classifies potential data or security incidents. Initiates the Zoho workflow when a breach is confirmed.
Compliance Manager
Receives and manages the assigned 'External Notification' task. Ensures appropriate in-country authority is notified within 72 hours.
Incident Response Team (IRT)
Provides technical information and impact assessment for inclusion in the external report.
CISO
Approves final communication to regulatory authorities and oversees compliance with reporting timelines.
4.1 Incident Classification
SOC identifies and logs a potential incident in Zoho. If investigation confirms a breach, the incident is escalated to the Compliance Manager with country of impact, affected systems, and classification.
4.2 Workflow Automation
Upon classification, Zoho automatically generates a task titled 'External Notification -- In-Country Authority', assigned to the Compliance Manager with a 72-hour deadline.
4.3 Escalation and Alerts
Reminder alerts are issued at 24, 48, and 70 hours if the task remains open. Unresolved tasks escalate automatically to the CISO.
4.4 External Notification
The Compliance Manager identifies the appropriate authority and submits the notification including company identification, breach description, affected systems, mitigation actions, and risk assessment.
4.5 Task Completion and Logging
On completion, the Compliance Manager updates the Zoho task status, attaches confirmation details, and all actions are recorded in the audit log for a minimum of five years.
When something goes wrong, speed counts. Our recovery procedures run off clearly defined recovery time objectives, regular backups, and restoration processes we've actually tested — not just written down. After every incident, we run a proper post-mortem: what happened, what we can do better, what controls need tightening.
There's no finish line with this. We commission independent penetration tests, run vulnerability assessments across our infrastructure, and carry out internal security audits on a regular cycle. The findings feed straight into our security roadmap. They don't sit in a report. That's how we've kept PCI DSS Level 1 certification year after year since 2018.
The CRA puts real weight on supply chain risk, and so do we. Every third-party vendor that touches our platform goes through a formal assessment. We set contractual security requirements, monitor dependencies as they change, and keep a register of every service provider that could affect the security of cardholder data. PCI DSS Level 1 demands this level of rigour — and honestly, we'd do it either way.
Questions about our cyber resilience posture? Drop us a line at [email protected]. Happy to talk any of this through in detail.
Work with a payment provider that takes security as seriously as you do. We're happy to walk you through our controls.