Compliance & Certifications

1. Regulatory framework

AsherPay operates as a payment facilitator and ISO partner with sponsoring acquirer banks regulated in the United States. We adhere to the rules of the major card networks (Visa, Mastercard, American Express, Discover) and to applicable federal and state financial regulations including the Bank Secrecy Act, USA PATRIOT Act, and OFAC sanctions programs.

2. PCI DSS Level 1

AsherPay is certified under PCI DSS Level 1, the highest tier of cardholder data security. Cardholder data is encrypted in transit and at rest, scoped to a tokenized environment, and protected by network segmentation, access controls, and continuous monitoring. We undergo annual assessments by a Qualified Security Assessor (QSA).

3. AML, KYC, and KYB

• Know Your Business (KYB). Every applying entity is verified against state filings, EIN records, and beneficial ownership disclosures.
• Know Your Customer (KYC). Principal owners and signers are verified against government-issued identification.
• Anti-Money Laundering (AML). Transaction patterns are monitored for laundering typologies. Suspicious activity is reported to the appropriate authorities as required.

4. Sanctions and watchlist screening

All applicants and beneficial owners are screened against OFAC SDN, sectoral, and consolidated sanctions lists, as well as MATCH (Member Alert to Control High-Risk Merchants), PEP, and adverse-media databases. Screening is performed at onboarding and on a rolling basis throughout the merchant relationship.

5. SOC 2 Type II

AsherPay maintains SOC 2 Type II attestation covering security, availability, and confidentiality. Reports are available under NDA upon request from hello@asherpay.com.

6. Card brand programs

We monitor and enforce the following card brand compliance programs on behalf of merchants:

• Visa Acquirer Monitoring Program (VAMP) and Visa Dispute Monitoring Program (VDMP).
• Mastercard Excessive Chargeback Program (ECM) and Excessive Fraud Merchant program (EFM).
• American Express Fraud Full Recourse Program.
• Discover Network excessive activity programs.

Merchants approaching thresholds receive proactive guidance and remediation support.

7. Prohibited industries

AsherPay does not onboard merchants engaged in:

• Illegal goods or services in the merchant’s jurisdiction.
• Unregulated firearms, explosives, or weapons sales prohibited by law.
• Drug paraphernalia or controlled substances outside lawful pharmaceutical channels.
• Unlicensed gambling, multi-level-marketing fraud, or pyramid schemes.
• Adult content involving minors or non-consenting parties.
• Counterparties or beneficial owners on OFAC, EU, UK, or UN sanctions lists.
• Any activity prohibited by Visa, Mastercard, American Express, or Discover.

Restricted industries (peptides, CBD, supplements, nutraceuticals, adult, telehealth, firearms-adjacent) are accepted on a case-by-case basis subject to enhanced underwriting and ongoing review.

8. Data security

• TLS 1.2+ encryption in transit; AES-256 encryption at rest.
• Tokenization of cardholder data so raw PANs never touch merchant systems.
• Role-based access control with logged, audited access to sensitive data.
• Independent penetration testing and quarterly vulnerability scans.

9. Reporting suspicious activity

If you suspect fraud, money laundering, prohibited use, or other compliance concerns related to an AsherPay merchant or service, email hello@asherpay.com. Reports may be made anonymously. We investigate every credible report and cooperate with law enforcement and regulatory authorities as required.

10. Documentation requests

For SOC 2 reports, PCI Attestation of Compliance, due-diligence questionnaires, or vendor security reviews, email hello@asherpay.com. Most documents are provided under NDA.