Security Evaluations
and Compliance

Good News! Your engineers are now familiar with the APIs available from your Processor or Bank-as-a-Service Platform provider... Product specs are almost final and your designers have a pretty good mockup of the User eXperience...
Bad News! Your partner Bank would now like to see your AML Policy, your Written Information Security Plan, the results of your most recent Penetration Test, your attestation of PCI compliance, and your employee training log!

We can help your FinTech company be ready with these necessary items, all customized for your specific product and commensurate with the size of your company and your budget.

Security Audits

We help companies secure their products and infrastructure through a structured approach and consistent methodology based on industry-wide best practices and accompanying resources, such as OSSTMM, OWASP, and WASC. We help our clients identify security issues, suggest remediation solutions and provide ongoing support to the customer’s technical team.

Vulnerability Assessments

  • Internal Network
  • External Network
  • Web /Mobile Applications

Penetration Testing Methods

  • "Black Box"
  • "Grey Box"
  • "White Box"

Security Reviews

Cloud Set-Ups

  • AWS
  • Google Cloud
  • Azure

Application Code

  • Mobile native
  • Web Apps

APplicable Standards

PCI-DSS Compliance

SAQ Facilitation

  • SAQ-D Self Assessment Questionnaire assistance
  • Maintain questionnaire and supporting documents

Quarterly Vulnerability Scanning

  • 11.2.2: External Network
    (includes: approved PCI ASV attestation report)

Download the summary PCI Scan Service Sheet

Performance Testing and Quality Assurance

Load Testing

  • Evaluate the overall performance of the application

Stress Testing

  • Estimate how many clients the application can handle in the current state

QA Testing

  • Verify workflow and compliance with specs independently from the development team

Soak Testing

  • Investigate system endurance under long-term load (8-12-24 hours)

Performance and QA Testing conducted in partnership with DataArt

Training for FinTech Employees

FinTech teams are often unfamiliar with the financial regulations and security requirements that they have to comply with, often at the explicit request of the banks they partner with to deploy their services.
Most available compliance & security training is difficult to use because it was developed for banks, not for FinTechs.
We have assembled training materials customized for employees and management of FinTechs and we can help administer onboarding and yearly tests to verify that new and existing employees have acquired the required understanding of essential security and compliance rules.

AML / BSA / OFAC Compliance

UDAAP Compliance

GLBA & CCPA Compliance

ID Theft / FACTA Red Flags

Regulation E Compliance

Compliance Policies

Even though your FinTech company is not regulated as a Financial Institution, you are the front line for interactions with customers and the first line of defense against fraud and complaints.
We help draft policy documents as required by your partner Bank, in cooperation with your Operations team, customized for your particular products, roles and responsibilities. Note that your Bank will usually review such documents after we have produced them, and may request changes for specific regulatory compliance reasons. You may also want to have some documents reviewed by legal counsel.

Information Security
Data Retention and Destruction Policy
Vendor Mgmt.
Fraud &
Red Flags


Go to the DataArt website


DataArt is a global software engineering firm that takes a uniquely human approach to solving problems.

With over 20 years of experience, teams of highly-trained engineers around the world, deep industry sector knowledge, and ongoing technology research, we help clients create custom software that improves their operations and opens new markets.Powered by our People First principle, we work with clients at any scale and on any platform, and adapt alongside them as they evolve. 

We integrate our engineering excellence with deeply human values that drive our business and our approach to relationships: curiosity, empathy, trust, honesty, and intuition. These qualities help us deliverhigh-value, high-quality solutions that our clients depend on, and lifetime partnerships they believe in.


DataArt has earned the trust of some of the world’s leading brands and most discerning clients, including Nasdaq, S&P, Thomson Reuters, United Technologies, One World Alliance, and others.

Global Presence

  • New York
  • London
  • Switzerland
  • Germany
  • Eastern Europe
  • Latin America


Clone Systems, Inc. is a United States-based managed security services provider with offices in New York City, Philadelphia, and London. The company provides intrusion detection and malicious threat protection for businesses in the US, Europe and Asia. The company was founded in 1998 and continues to provide global network security services.

Approved Scanning Vendor

Clone Systems Inc is our certified global approved scanning vendor partner.
Certificate Number - Global 4262-01-12

The directory of Approved Scanning Vendor can be found here on the PCI Secuirty Standard Council website.

Clone Systems Inc have just compeleted recertification as an approved PCI ASV for the 13th year in a row.

Scanning Services Portal

  • Each of our clients is provided with access to a read-only PCI Scanning Portal which contains details of all scans that have been completed against the client-defined  hosts (PCI - Internal Scan 11.2.1 & PCI External Scan requirement), along with detailed reporting for identified vulnerabilities to be addressed & remediation steps for fail cases
  • Executive, Detailed and Attestation PCI compliance reports can be downloaded with passing status and can be delivered to your acquiring banks, card brands or other requesting entities you do business with.
  • Additionally, the portal provides a Self-Assessment Questionnaire (SAQ) wizard that can be used to help you identify the SAQ type that aligns with your business requirements so you can complete an online version of the SAQ and report the results of your PCI Data Security Standards (DSS) self-assessment.