Evervault webinar key takeaways - Card acceptance and PCI compliance

Paula Albu, Junior Editor at The Paypers, shares the key takeaways from the webinar co-hosted with Evervault, titled Card acceptance and PCI compliance: flexibility, control, and data ownership.

PCI compliance is often treated as a technical checkbox, but for merchants and payment companies, it increasingly shapes business flexibility, payment performance, and control over customer data. 

In this webinar, Shane Curran, Founder and CEO at Evervault, and Shane Peden, Partner, Risk Advisory and Assurance Services at Aprio, joined the moderator Masha Cilliers, Payment Industry Expert, iNED, and Board Advisor, to discuss how payment architecture decisions directly influence PCI scope, operational complexity, and long-term payment strategy. 

Here are the key takeaways from the webinar.

Merchant or service provider – the classification that changes everything

The first step is to determine what your role is in the payment ecosystem. Whether you’re a merchant, service provider, or both, this distinction dramatically shapes your compliance requirements. Misclassifying your organisation can lead to costly surprises down the road. 

Merchants benefit from a tiered system with four levels based on transaction volume, and those outsourcing payment processing to a PSP can often qualify for the simplest self-assessment questionnaire (SAQ-A), which involves roughly 30 controls. Service providers, on the other hand, face a much steeper climb. There’s only one accepted self-assessment questionnaire (SAQ-D), which can encompass 250 to 350 controls.

Shane Peden emphasized that many organisations incorrectly classify themselves as merchants when they are actually service providers, and some companies may even fall into both categories simultaneously. In such cases, he recommended treating them as separate assessment scopes. 

PCI compliance as a business enabler, not just a requirement 

One of the webinar’s central themes was that PCI DSS is no longer simply a compliance exercise. 

As Shane Peden explained, PCI is both an industry requirement and a business enabler. Companies that want to participate in card payments must understand how compliance affects not only their infrastructure but also their partnerships and scalability.

Unlike broader frameworks such as SOC 2 and ISO 27001, PCI scope is heavily influenced by technical architecture and how cardholder data moves across systems. 

The discussion also highlighted the complexity of the modern payment ecosystem. A single transaction may involve multiple parties – merchants, PSPs, acquirers, fraud providers, and card networks – each carrying its own compliance responsibilities within what the speakers described as a chain of trust. 

Both speakers stressed that the PCI scope extends far beyond storage. Even systems that process or transmit cardholder data for a fraction of a second can fall into scope, significantly increasing operational and compliance complexity. This is particularly important as businesses adopt multi-PSP strategies, payment orchestration, and increasingly complex payment stacks that involve fraud tools, chargeback providers, and tokenization services. 

Architecture decisions define PCI scope

An important part of the webinar focused on the relationship between payment architecture and PCI burden.

The speakers explored several common approaches, including iFrame integration, redirect flows, vault tokenization, network tokens, and a fully in-house payment infrastructure. They also introduced Evervault's vaultless tokenization model, which gives merchants full ownership of their sensitive data: encrypted data stays in their systems, and Evervault holds the keys. Because encrypted data never passes through a third-party vault, merchants can significantly reduce their PCI DSS scope without handing control of their data to a vendor.
Each carries different trade-offs between compliance complexity, business flexibility, and technical control. The more flexibility and control merchants want over payment orchestration and card data, the more compliance responsibility they typically assume. 

At the same time, businesses increasingly want greater ownership of payment flows to support multi-PSP strategies, improve authorisation rates, reduce vendor lock-in, and optimise payment performance. 

The webinar also highlighted the growing importance of network tokenization, which allows merchants to improve payment continuity and reduce churn while limiting exposure to raw cardholder data.

Flexibility, security, and data ownership are converging

The webinar closed with a broader discussion of what a successful PCI strategy looks like now.

Shane Curran closed with a clear definition of what success looks like: building payment infrastructure that balances flexibility, scalability, security, and compliance, without creating unnecessary operational complexity. 

For larger merchants and payment companies, this increasingly means finding ways to maintain control over payment data and orchestration while reducing exposure to sensitive cardholder data wherever possible. 

The webinar also touched on the growing impact of PCI DSS v4, which introduces stricter requirements around browser security, risk analysis, and ongoing monitoring. 

As payment infrastructures become more interconnected and distributed, compliance is increasingly shifting from an annual audit exercise to a continuous operational responsibility.

This recap highlights only part of the discussion. For deeper insights on PCI DSS, tokenization, payment architecture, and data ownership, watch the full webinar recording here. 

About Paula Albu

 

Paula Albu has experience in content writing and editing, as well as being a creative storyteller. As a Junior Editor at The Paypers, she investigates Web3 technologies along with the latest trends and regulations in banking and fintech. Paula is committed to turning complex industry topics into engaging, accessible content that resonates with readers and creates a meaningful connection. She is available via LinkedIn or at paula@thepaypers.com.

 

About Evervault

Evervault is a card data infrastructure platform for developers, combining sensitive data encryption with standalone payment capabilities like 3DS and Network Tokens. We encrypt card data to minimize PCI scope and give you the flexibility to route payments across all your PSPs. Our modular products provide the building blocks to launch and scale your payments stack quickly, with less engineering effort and compliance overhead.