Part VI: Security, Compliance & Control

This is where amateurs drop out.

Audience: Architects

Every chapter so far has assumed money moves when someone asks it to. This Part is about the machinery that decides whether it's allowed to — and what touching card data actually costs you.

Chapter 24 covers PCI-DSS: the compliance levels, the SAQ questionnaire maze (24 questions or 328 — your integration choice decides), the scope-reduction architecture that keeps the burden small, and the myths that get merchants fined. Chapter 25 goes under the compliance layer to the machinery itself — vaults, encryption versus tokenization, PSP versus independent vaults, breach economics, and how to move your cards when you switch providers. Chapter 26 turns from protecting stored data to policing the flow: fraud engines and velocity rules, KYC/KYB as underwriting, sanctions screening, SARs, and why PSPs off-board merchants without explanation.

Chapters

Archived drafts

Superseded working drafts, kept for reference. The five "Chapter 20" section drafts were consolidated into Chapter 24.

The Money AtlasPart VI: Security, Compliance & Control