Part VI: Security, Compliance & Control
This is where amateurs drop out.
Audience: Architects
Every chapter so far has assumed money moves when someone asks it to. This Part is about the machinery that decides whether it's allowed to — and what touching card data actually costs you.
Chapter 24 covers PCI-DSS: the compliance levels, the SAQ questionnaire maze (24 questions or 328 — your integration choice decides), the scope-reduction architecture that keeps the burden small, and the myths that get merchants fined. Chapter 25 goes under the compliance layer to the machinery itself — vaults, encryption versus tokenization, PSP versus independent vaults, breach economics, and how to move your cards when you switch providers. Chapter 26 turns from protecting stored data to policing the flow: fraud engines and velocity rules, KYC/KYB as underwriting, sanctions screening, SARs, and why PSPs off-board merchants without explanation.
Chapters
Archived drafts
Superseded working drafts, kept for reference. The five "Chapter 20" section drafts were consolidated into Chapter 24.