Compliance - Pandabase

Platform Partners are subject to ongoing compliance requirements. Failure to maintain these standards may result in suspension or termination of your platform account.

Shared responsibility model

As a Platform Partner, compliance responsibilities are divided between your platform and Pandabase. Understanding this boundary is critical to maintaining your platform’s standing.

Responsibility	Your Platform	Pandabase
Customer payment processing		Yes
Tax calculation and remittance		Yes
Chargeback management		Yes
PCI DSS compliance	Yes	Yes
Identity verification (KYC/KYB)		Yes
Transaction monitoring	Yes	Yes
Sanctions screening		Yes
Merchant due diligence	Yes
Platform-level fraud prevention	Yes
Dispute evidence SLA	Yes
Data retention (7 years)	Yes	Yes
Prohibited activity enforcement	Yes	Yes

Pandabase handles all identity verification (KYC and KYB) through the Pandabase.js Verification SDK. Your platform embeds the SDK into your onboarding flow, and Pandabase runs the identity checks, document verification, and sanctions screening on your behalf. You do not need to build or maintain your own KYC/KYB systems.

Merchant onboarding and verification

Pandabase handles all KYC and KYB verification through the Pandabase.js Verification SDK. Your platform does not need to collect identity documents or run verification checks directly. Instead, you embed the Verification SDK into your merchant onboarding flow and Pandabase handles the rest.

How it works

Embed the Verification SDK

Add the Pandabase.js Verification SDK to your onboarding page. The SDK renders a verification flow that collects identity information, documents, and biometric checks directly from the merchant.

Merchant completes verification

The merchant fills in their details and uploads required documents through the SDK. All data is sent directly to Pandabase and never touches your servers.

Pandabase reviews

Pandabase runs identity verification, document validation, sanctions screening, and risk assessment. Review time depends on the onboarding tier.

Receive webhook

You receive a MERCHANT_ACTIVATED or MERCHANT_REJECTED webhook when the review is complete.

Integrating the Verification SDK

<script src="https://js.pandabase.io/v2/verify.js"></script>

const pandabase = Pandabase.init("plt_xxx", { mode: "production" });

const verification = pandabase.createVerification({
  merchantId: "shp_provisioned_xxx",
  tier: "STANDARD",
  appearance: {
    theme: "auto",
    variables: {
      colorPrimary: "#0071e3",
      borderRadius: "8px",
    },
  },
  onComplete: (result) => {
    if (result.status === "SUBMITTED") {
      // Verification submitted, awaiting review
      showMessage(
        "Verification submitted. We'll notify you when it's approved.",
      );
    }
  },
  onError: (error) => {
    showError(error.message);
  },
});

verification.mount("#verification-container");

What Pandabase collects by tier

Individual merchants:

Field	EXPRESS	STANDARD	ENHANCED	ENTERPRISE
Full legal name	Yes	Yes	Yes	Yes
Email (verified)	Yes	Yes	Yes	Yes
Country of residence	Yes	Yes	Yes	Yes
Date of birth		Yes	Yes	Yes
Phone number		Yes	Yes	Yes
Government-issued photo ID			Yes	Yes
Proof of address			Yes	Yes
Biometric face match			Yes	Yes

Business merchants:

Field	EXPRESS	STANDARD	ENHANCED	ENTERPRISE
Legal entity name	Yes	Yes	Yes	Yes
Country of incorporation	Yes	Yes	Yes	Yes
Business address	Yes	Yes	Yes	Yes
Business registration number		Yes	Yes	Yes
Beneficial owner info (25%+)		Yes	Yes	Yes
Business description and website		Yes	Yes	Yes
Representative’s government ID			Yes	Yes
Certificate of incorporation			Yes	Yes
Proof of business address				Yes

All identity data and documents are collected directly by the Verification SDK and sent to Pandabase. Your platform never handles or stores sensitive identity documents. This simplifies your compliance obligations and eliminates PII storage requirements for merchant onboarding.

Transaction monitoring

Platforms are required to implement real-time transaction monitoring across their merchant base. The goal is to detect and report suspicious patterns before they escalate to chargebacks or compliance incidents.

Required monitoring signals

Signal	Threshold	Action
Unusual volume spike	Merchant exceeds 3x their average daily volume	Flag for review
High-value transaction	Transaction exceeds 5x the merchant’s average	Flag for review
Rapid velocity	More than 10 transactions from the same customer in 1 hour	Block and flag
Geographic anomaly	Transaction country differs from merchant’s registered country by more than 50% of daily volume	Flag for review
Refund rate	Merchant refund rate exceeds 10% over a 7-day rolling window	Restrict and flag
Dispute rate	Merchant dispute rate exceeds 0.5%	Restrict and notify Pandabase

You are not required to build these systems from scratch. Pandabase provides monitoring data through the API and webhooks that your platform can use to implement these checks.

Reporting suspicious activity

When suspicious activity is detected, report it immediately:

POST /v2/platforms/merchants/{merchantId}/flag
Authorization: Platform plt_xxx
X-Platform-Signature: {signature}

{
  "reason": "SUSPICIOUS_ACTIVITY",
  "severity": "HIGH",
  "description": "Merchant volume increased 10x in 24 hours with elevated refund rate",
  "evidence": {
    "dailyVolume": 50000,
    "averageDailyVolume": 5000,
    "refundRate": 0.15,
    "flaggedTransactions": ["pti_xxx", "pti_yyy", "pti_zzz"]
  }
}

Flag reasons

Reason	Description
`SUSPICIOUS_ACTIVITY`	Unusual transaction patterns or volume
`POLICY_VIOLATION`	Merchant is violating platform or Pandabase terms
`PROHIBITED_CONTENT`	Merchant is selling prohibited goods or services
`IDENTITY_CONCERN`	Reason to believe merchant identity information is fraudulent
`CUSTOMER_COMPLAINTS`	Elevated customer complaint volume
`OTHER`	Any other concern not covered above

Severity levels

Severity	Expected response time	Action
`LOW`	72 hours	Pandabase reviews and responds
`MEDIUM`	24 hours	Pandabase reviews; merchant may be restricted
`HIGH`	4 hours	Merchant immediately restricted; Pandabase investigates
`CRITICAL`	Immediate	Merchant immediately suspended; settlements held

PCI compliance

Your PCI requirements depend on how your platform integrates with Pandabase.

Integration type	PCI requirement	Description
Hosted payment page (redirect)	SAQ-A	Customer is redirected to Pandabase. No card data touches your servers.
Pandabase.js (iframe embed)	SAQ-A	Payment form is rendered in a Pandabase-hosted iframe. No card data touches your servers.
Pandabase.js Elements (custom form)	SAQ-A-EP	You control the form layout but card fields are Pandabase-hosted iframes. Card data does not touch your servers but your page context is involved.
Direct API (raw card data)	Not supported	Pandabase does not accept raw card data via API.

Pandabase does not support direct card data handling via API. All card data must flow through Pandabase.js or the hosted payment page. Platforms found transmitting, storing, or processing raw card numbers will be terminated immediately.

PCI certification

Platforms using SAQ-A-EP integration must provide a valid PCI attestation of compliance (AOC) during the annual review. SAQ-A platforms must complete a self-assessment questionnaire annually.

Dispute management

Platforms are responsible for ensuring their merchants respond to disputes within the required SLA. As the merchant of record, Pandabase submits the dispute response to the card network, but the quality of evidence directly affects the outcome.

Evidence deadlines

Dispute type	Evidence deadline	Platform responsibility
Fraudulent	7 calendar days	Facilitate merchant evidence submission
Product not received	7 calendar days	Provide delivery and fulfillment proof
Product not as described	7 calendar days	Provide product documentation and communication logs
Duplicate charge	7 calendar days	Provide transaction records showing distinct orders
Unrecognized	7 calendar days	Provide transaction and customer verification details
General	7 calendar days	Provide all available supporting documentation

If a merchant fails to submit evidence within the deadline, Pandabase submits the transaction-level data it has (customer info, IP, AVS/CVV results), but without product usage evidence the dispute is significantly more likely to be lost.

Dispute rate monitoring

Pandabase monitors dispute rates at both the merchant and platform level.

Dispute rate	Merchant action	Platform action
Below 0.5%	No action	No action
0.5% to 0.75%	Warning issued	Platform notified
0.75% to 1.0%	Merchant restricted, new intents paused	Platform must submit remediation plan
Above 1.0%	Merchant suspended, settlements held	Platform review triggered

Dispute rate is calculated as: (number of disputes in the last 30 days) / (number of completed transactions in the last 30 days). If your platform’s aggregate dispute rate (across all merchants) exceeds 1%, the entire platform may be placed under review. This can affect all merchants on your platform, not just those with high individual rates.

Data retention

Platforms must retain the following records for a minimum of 7 years from the date of the transaction or event:

Record type	Examples
Merchant onboarding records	KYB documentation, identity verification results, due diligence notes
Transaction records	Intent IDs, amounts, timestamps, customer details, metadata
Dispute evidence	Evidence submitted, correspondence, resolution outcomes
Refund records	Refund amounts, reasons, timestamps
Platform fee records	Fee amounts, payout records, reconciliation data
Compliance flags	Flag reports, investigation records, resolution outcomes
Communication logs	Emails and messages exchanged with merchants regarding compliance

Pandabase retains its own copies of transaction and settlement data. However, your platform’s onboarding records and merchant due diligence documentation are your responsibility.

Annual review

All Platform Partners undergo an annual compliance review to maintain their active status.

Self-assessment questionnaire

Sent in Q4 each year. Covers your merchant onboarding procedures, transaction monitoring systems, dispute handling workflows, and data retention practices.

Documentation review

Pandabase reviews your KYB procedures, monitoring systems, dispute handling processes, and a sample of merchant onboarding records.

Volume and risk review

Analysis of transaction patterns, dispute rates, refund rates, and flagged activity across your entire merchant base over the past year.

PCI attestation

Submission of your current PCI AOC or completed self-assessment questionnaire.

Certification

Upon passing all review stages, your platform is re-certified for another year.

Platforms that fail the annual review enter a 90-day remediation period. During remediation, new merchant provisioning may be paused. Failure to remediate within the 90-day window results in platform suspension.

Prohibited activities

Platforms must not onboard merchants engaged in the following:

Category	Examples
Illegal goods or services	Any product or service illegal in the merchant’s or customer’s jurisdiction
Counterfeit or IP-infringing products	Fake branded goods, pirated software, unauthorized reproductions
Unregulated financial services	Unlicensed lending, money transmission, investment schemes
Gambling	Online gambling without proper jurisdiction-specific licensing
Adult content	Pornographic material without age verification systems
Pyramid or MLM schemes	Multi-level marketing, pay-to-join programs
Cryptocurrency exchange	Crypto-to-fiat or fiat-to-crypto without proper licensing
Weapons and ammunition	Firearms, ammunition, explosives, or related accessories
Controlled substances	Drugs, pharmaceuticals without prescription verification
High-risk supplements	Unregulated health supplements making medical claims

If your platform discovers that a merchant is engaged in prohibited activities after onboarding, you must immediately suspend the merchant and report it to Pandabase. Failure to do so may result in your platform being held liable.

If your platform is found knowingly onboarding merchants engaged in prohibited activities, your platform account will be suspended immediately and all pending settlements will be held pending investigation.

Support

For compliance questions or to report issues:

Channel	Address	Response SLA
General compliance	compliance@pandabase.io	24 hours
Urgent issues	platforms@pandabase.io with `[URGENT]` subject	4 hours
Merchant flags	Use the `/flag` API endpoint	Based on severity level

For questions about specific merchant reviews or dispute evidence, include the merchant ID and any relevant intent IDs in your message.

Basics

​Shared responsibility model

​Merchant onboarding and verification

​How it works

​Integrating the Verification SDK

​What Pandabase collects by tier

​Transaction monitoring

​Required monitoring signals

​Reporting suspicious activity

​Flag reasons

​Severity levels

​PCI compliance

​PCI certification

​Dispute management

​Evidence deadlines

​Dispute rate monitoring

​Data retention

​Annual review

​Prohibited activities

​Support

Shared responsibility model

Merchant onboarding and verification

How it works

Integrating the Verification SDK

What Pandabase collects by tier

Transaction monitoring

Required monitoring signals

Reporting suspicious activity

Flag reasons

Severity levels

PCI compliance

PCI certification

Dispute management

Evidence deadlines

Dispute rate monitoring

Data retention

Annual review

Prohibited activities

Support