Security & Compliance#

Novaza Pay is designed so that sensitive payment instrument data never touches the Novaza workspace, Novaza Billing, or any customer-facing Novaza application. All handling of card numbers and bank account numbers is performed under the PCI-DSS compliance envelope of the upstream processing partners that Pay routes to.

Tokenization#

When a customer adds a card or bank account to their workspace, the payment details are submitted directly to the upstream processor over a secure channel. The processor returns an opaque token that represents the payment method. Only the token, along with non-sensitive metadata (card brand, last four digits, expiry month and year), is stored on the Novaza side.

Subsequent charges against that payment method are made by referencing the token. At no point does Novaza Billing, the customer portal, or any Novaza application server store a full card number (PAN) or bank account number.

PCI Compliance Posture#

Because all PAN data is tokenized by upstream processors and never stored or processed by Novaza systems, Novaza’s handling of payment data falls under the reduced-scope portion of PCI-DSS. The upstream processors that Pay routes to are PCI-DSS Level 1 compliant in their own right.

Transport Security#

All traffic between the customer’s browser, Novaza Pay, and upstream processors is encrypted in transit using TLS. Payment method entry forms are served directly from the upstream processor’s own domain (embedded via secure iframe) so that card details are never transmitted to a Novaza-controlled endpoint.

Access Control#

Access to stored payment-method tokens is restricted to the Billing service account that needs them to settle invoices. Tokens cannot be retrieved through the public Novaza API, and they are not exposed in the customer portal beyond the masked summary (brand and last four digits).