Paytia Cyber ResilienceAlignment Statement
Demonstrating alignment with EU Cyber Resilience Act requirements through PCI-DSS Level 1 controls and security-by-design principles
Introduction
Paytia operates as a Level 1 PCI-DSS–accredited Service Provider, delivering secure, cloud-based payment and voice-masking SaaS solutions. The company maintains a mature information security and operational compliance framework that integrates continuous monitoring, incident response, and vulnerability management.
This document demonstrates how Paytia's existing PCI-DSS controls and operational processes already satisfy, or materially align with, the security-by-design and vulnerability-management requirements introduced by the EU Cyber Resilience Act (CRA).
Although the CRA primarily governs products with digital elements placed on the EU market, Paytia's cloud-native SaaS delivery model and supporting security controls embody the same resilience and security principles required under CRA Annex I.
CRA Context
Understanding the EU Cyber Resilience Act and its requirements
The EU Cyber Resilience Act establishes uniform cybersecurity requirements for manufacturers and developers of products with digital elements. Key obligations include:
Annex I – Security Requirements
Secure development, configuration management, logging, update mechanisms, and data protection by design and by default.
Annex I (Part 2) – Vulnerability Handling
Continuous monitoring, vulnerability disclosure, and remediation.
Articles 11–13 – Reporting
Early-warning and incident-reporting requirements (within 24 and 72 hours) to EU CSIRTs/ENISA.
Annex III – Classification
Identifying critical products requiring third-party conformity assessment.
Paytia's established PCI-DSS Level 1 accreditation demonstrates adherence to equivalent or higher security controls, providing strong alignment with CRA expectations.
Alignment Overview
How Paytia's PCI-DSS Level 1 controls align with EU CRA requirements
| CRA Requirement | Paytia Existing Control / Practice | Alignment Assessment |
|---|---|---|
| Secure Development Lifecycle | Paytia operates an Agile software development process managed through Asana, covering development, development QA, Paytia QA sign-off, pre-production testing, and controlled live roll-out. All change requests are managed and approved through Zoho Help Desk, ensuring traceability and governance. | Fully Aligned |
| Configuration Management & Hardening | Systems are deployed using hardened OS images. Updates are delivered through managed YUM repositories. Fortra Alert Logic agents monitor file integrity (FIM) and detect configuration changes. | Fully Aligned |
| Vulnerability Handling & Management | Regular internal and external vulnerability scanning and quarterly ASV scans are performed per PCI-DSS requirements. Findings are triaged and remediated through the controlled change process. Penetration testing is conducted at least annually. | Fully Aligned |
| Logging & Monitoring | Fortra Alert Logic provides centralised, real-time log collection with IDS/IPS and FIM capabilities. Logs are analysed 24×7, with automated alerting and escalation to Paytia for investigation. Daily reports are reviewed by Paytia's security team. | Fully Aligned |
| Incident Detection & Response | 24×7 managed SOC coverage by Fortra ensures continuous detection and alerting. Incidents follow a documented response procedure integrated with Zoho Help Desk for escalation, tracking, and resolution. | Fully Aligned |
| Security Updates & Patching | Automated YUM update processes are in place, supported by change control for emergency patches. Updates are tested and verified before deployment. | Fully Aligned |
| Access Control & Least Privilege | Access is governed by RBAC, MFA, and unique user IDs as required by PCI-DSS. Access rights are reviewed quarterly. | Fully Aligned |
| Data Protection & Encryption | All sensitive data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Encryption keys are rotated per policy and securely stored. | Fully Aligned |
| Secure Supply Chain Management | All software components and updates are sourced from verified repositories and validated before use. Paytia performs continuous vulnerability monitoring using CVE feeds and automated scanning tools. Cloud infrastructure components are monitored through AWS ALAS (Amazon Linux Security Advisories), and patches are deployed via controlled change management using Zoho Help Desk. | Fully Aligned |
| Vulnerability Disclosure Process | Paytia maintains a structured Coordinated Vulnerability Disclosure (CVD) process. Security issues can be reported through a dedicated security contact channel and are logged automatically via Zoho Help Desk. All reports are triaged by the Security and Compliance team, assigned for remediation, and tracked to closure through Paytia's change management process. A public vulnerability disclosure statement and dedicated security email contact are published on Paytia's website to encourage responsible reporting. This process ensures transparency, traceability, and compliance with CRA Article 11 and Annex I Part 2, meeting the requirements for coordinated vulnerability handling. | Fully Aligned |
| Incident & Vulnerability Reporting | Paytia's incident response workflow now includes automated task creation and escalation in Zoho, ensuring that all reportable events are tracked and externally notified within required regulatory timelines. The workflow automatically creates a task titled "External Notification – In-Country Authority", assigns it to the Compliance Manager, and enforces a 72-hour completion deadline in line with GDPR and CRA Article 15 requirements. For CRA-covered incidents, the workflow also supports 24-hour early-warning notifications to the relevant national CSIRT or ENISA. Reminder alerts at 24, 48, and 70 hours guarantee timely escalation and compliance oversight. All notifications and supporting evidence are recorded for audit and accountability. With these enhancements, Paytia's incident and vulnerability reporting processes are fully integrated, automated, and compliant with both PCI-DSS and EU CRA reporting obligations. | Fully Aligned |
Secure Development Lifecycle
Paytia's Agile development process ensures that all software is designed, tested, and released securely and in line with CRA secure-by-design principles.
Development Management
All development activities are tracked in Asana, providing full visibility from initial requirement to final deployment.
Testing Stages
Each release passes through five distinct stages — Development, Development QA, Paytia QA Sign-off, Pre-Production Testing, and Live Roll-out.
Change Control
Zoho Help Desk manages and records all change requests, approvals, and release documentation, ensuring traceability and accountability.
Security by Design
Security reviews and automated checks are built into every stage of development. Vulnerability scans and quality gates prevent insecure code from reaching production.
This structured lifecycle ensures that Paytia maintains continuous assurance of software integrity and compliance with both PCI-DSS and CRA Annex I secure development requirements.
Maturity and Continuous Improvement
Paytia's commitment to continuous security enhancement and operational excellence
Continuous Monitoring
24×7 managed detection and response by Fortra ensures real-time threat visibility.
Governance
The Security and Compliance team reviews daily alerts, weekly summaries, and monthly metrics.
Testing
Regular penetration testing and ASV scanning validate the resilience of all Paytia systems.
Documentation
All processes and evidence are maintained for PCI-DSS audits and can serve as CRA technical documentation under Annex IV.
Standard Operating Procedure
External Authority Notification Workflow
Document Owner: Security and Compliance Manager
Approved By: Chief Information Security Officer
Version: 1.0
Effective Date: November 12, 2025
1Purpose
This procedure defines how Paytia manages and escalates external authority notifications following a confirmed data breach or security incident.
It ensures timely reporting to the relevant in-country authority within 72 hours, as required by the EU General Data Protection Regulation (GDPR) and the EU Cyber Resilience Act (CRA).
2Scope
This procedure applies to:
- All Paytia-managed systems and services that process, store, or transmit customer or personal data.
- All incidents classified as data breaches, security vulnerabilities, or active exploitation events.
- All employees or third parties involved in incident management, including the Security, Compliance, and Engineering teams.
3Roles and Responsibilities
| Role | Responsibility |
|---|---|
| Security Operations (SOC) | Detects, triages, and classifies potential data or security incidents. Initiates the Zoho workflow when a breach is confirmed. |
| Compliance Manager | Receives and manages the assigned "External Notification" task. Ensures appropriate in-country authority is notified within 72 hours. |
| Incident Response Team (IRT) | Provides technical information and impact assessment for inclusion in the external report. |
| Chief Information Security Officer (CISO) | Approves final communication to regulatory authorities and oversees compliance with reporting timelines. |
| Zoho Automation System | Automatically creates and tracks tasks, reminders, and audit logs associated with external notifications. |
4Procedure
4.1 Incident Classification
- SOC identifies and logs a potential data or security incident in Zoho.
- If investigation confirms a breach involving personal or sensitive data, the incident is escalated to the Compliance Manager.
- The incident record is updated with:
- Country of impact
- Affected systems or services
- Classification: Data Breach / Security Incident
4.2 Workflow Automation
Upon classification as a reportable breach, Zoho automatically generates a task titled:
"External Notification – In-Country Authority."
The task is automatically:
- Assigned to the Compliance Manager (or designated escalation user).
- Linked to the originating incident record.
- Time-bound with a 72-hour deadline from the incident classification timestamp.
4.3 Escalation and Alerts
- Reminder alerts are automatically issued at 24 hours, 48 hours, and 70 hours if the task remains open.
- If the task is not completed within the defined period, Zoho escalates it to the CISO for review.
4.4 External Notification
- The Compliance Manager identifies the appropriate authority using the combined Country–Authority field (e.g., France – CNIL or Ireland – DPC/NCSC-IE).
- Notification is made following the authority's published reporting process (e.g., secure online form, encrypted email).
- The notification includes:
- Company identification and contact details.
- Description of the breach or incident.
- Systems and data affected.
- Mitigation actions taken.
- Initial assessment of risk and potential impact.
4.5 Task Completion and Logging
Once notification is submitted, the Compliance Manager:
- Updates the Zoho task status to "Completed."
- Attaches confirmation details (submission reference, timestamp, or screenshot).
- Zoho automatically records all task actions in the audit log.
- The Security and Compliance teams retain evidence of the notification for a minimum of five years.
5Reporting and Review
- Monthly reviews are conducted to verify that all breach-related tasks were completed within required timeframes.
- KPI reports include:
- Number of reportable incidents.
- Time to notification.
- Authorities notified.
- Outstanding escalations (if any).
- Lessons learned are documented and reviewed during quarterly compliance meetings.
6Compliance Reference
- EU General Data Protection Regulation (GDPR) – Articles 33 & 34
- EU Cyber Resilience Act – Article 15 (Incident and Vulnerability Reporting)
- Paytia Information Security Policy
- Paytia Incident Response Plan
7Revision History
| Version | Date | Description | Author | Approved By |
|---|---|---|---|---|
| 1.0 | November 12, 2025 | Initial release of SOP | Security & Compliance Manager | CISO |