A payment application your QSA can sign off on before your first transaction

Most payment integrations balloon PCI scope silently. A Stripe button on the checkout page becomes a PAN-handling pipeline by month four because someone added a receipts page that displayed the last 4 digits and someone else logged the card metadata for fraud review. Archiet generates a payment application where PCI scope is minimised by construction — no PAN ever persists in your database, only processor vault tokens — and ships a `pci_scope.md` doc that maps the cardholder-data boundary explicitly so your QSA can verify scope from the codebase, not your team's memory. Six providers (Stripe, Paddle, Paystack, Flutterwave, iDEAL, ACH), full subscription lifecycle with dunning, region-aware provider routing, webhook idempotency, and SCA / 3DS handling — generated as code across all 12 stacks.

What lands in your output bundle

When any entity has a Money-shaped field, when a payment.* capability is selected, or when functional requirements mention checkout / charge / invoice / subscribe / refund / payment, Archiet emits the payment orchestration layer alongside the PCI-DSS overlay artifact pack:

compliance/pci_dss/
├── saq_a_attestation.md           # SAQ-A scope and attestation draft
├── control_matrix.md              # PCI-DSS v4 control IDs to architecture elements
├── network_segmentation.md        # IaC checklist for CDE isolation
├── quarterly_scan_runbook.md      # ASV scan + AOC cadence
└── pci_scope.md                   # cardholder-data boundary mapped to your code

app/services/payments/
├── payment_service.{stack-ext}                      # orchestrator with provider switch
├── payment_processor_stripe.{stack-ext}             # adapter
├── payment_processor_paddle.{stack-ext}
├── payment_processor_paystack.{stack-ext}
├── payment_processor_flutterwave.{stack-ext}
├── payment_processor_ideal.{stack-ext}
├── payment_processor_ach.{stack-ext}
└── payment_webhook_controller.{stack-ext}           # idempotent webhook handler

alembic/versions/
└── NNNN_payment_orchestration.py                    # payment_intents, payment_methods (tokens only),
                                                    # subscriptions, subscription_events,
                                                    # webhook_idempotency_keys with (provider, event_id) unique

What's already wired

PCI scope minimization by construction. Generated code never persists PAN. The payment_methods table stores only processor vault tokens (Stripe pm_*, Paddle subscription IDs, etc). The pci_scope.md doc enumerates which paths handle cardholder data and which don't, so your QSA can verify scope from the codebase.
Region-aware provider routing. A payment_provider_for_region config flag maps country code to provider — NG to Paystack, EU to iDEAL, US to Stripe. Add or override per-blueprint without touching code.
Webhook idempotency. webhook_idempotency_keys table with (provider, event_id) unique index. Replay the same event three times and the handler returns 200 with no double-effect.
SCA / 3DS handling. When the processor returns requires_action, the API returns the redirect URL plus status. Client polls /intents/{id}/status until succeeded or failed. The flow that's easy to implement wrong.
Subscription lifecycle. Start, pause with proration, resume, cancel-at-period-end vs immediate, dunning (three retry attempts on failed renewal then suspend). Generated as code, not as Stripe-dashboard buttons.
Per-tenant key isolation. Workspace owners configure their own Stripe / Paddle / Paystack / Flutterwave keys via IntegrationCredential. Generated code reads them from there — never from app-level env, never hardcoded.
Refund flow. POST /payments/refunds with full + partial refund support, audit trail wired to the audit infrastructure.

What you don't have to argue with your QSA about

"Is PAN persisted anywhere?" — No. Only processor vault tokens. Provable via pci_scope.md + grep on the codebase.
"What's your CDE boundary?" — Mapped in network_segmentation.md to the specific services that handle cardholder data.
"How are network segmentation controls enforced?" — Generated IaC checklist references the security groups / VPC / firewall rules that isolate the CDE.
"What's your SAQ?" — saq_a_attestation.md is the draft. SAQ-A applies because PAN never touches your servers.
"What's your ASV scan cadence?" — quarterly_scan_runbook.md documents the schedule + tooling.
"Webhook handling for chargebacks / disputes — show me the audit trail." — audit_events table with hash chain + replay API (audit infrastructure ships in the same bundle).

Stacks supported

Flask · FastAPI · Django · NestJS · Laravel · Rails · Go · Java (Spring) · .NET · Salesforce Apex · SAP CAP · Dynamics 365.

Pricing

Payment orchestration with PCI scope minimization ships on the Professional plan ($599/mo, $419/mo annual). The PCI-DSS artifact pack ships on Professional too. Multi-region IaC for PCI architectures (cross-region failover) ships on Team ($1,499/mo).

See the payment orchestration feature page for the technical detail of the payment generator.
See the e-commerce industry page for retail-vertical positioning.
See the financial services industry page for fintech / banking positioning including PSD2 + Open Banking.
See the compliance frameworks page for the full PCI-DSS artifact pack contents.

A payment application your QSA can sign off on before your first transaction

What lands in your output bundle

compliance/pci_dss/ ├── saq_a_attestation.md # SAQ-A scope and attestation draft ├── control_matrix.md # PCI-DSS v4 control IDs to architecture elements ├── network_segmentation.md # IaC checklist for CDE isolation ├── quarterly_scan_runbook.md # ASV scan + AOC cadence └── pci_scope.md # cardholder-data boundary mapped to your code app/services/payments/ ├── payment_service.{stack-ext} # orchestrator with provider switch ├── payment_processor_stripe.{stack-ext} # adapter ├── payment_processor_paddle.{stack-ext} ├── payment_processor_paystack.{stack-ext} ├── payment_processor_flutterwave.{stack-ext} ├── payment_processor_ideal.{stack-ext} ├── payment_processor_ach.{stack-ext} └── payment_webhook_controller.{stack-ext} # idempotent webhook handler alembic/versions/ └── NNNN_payment_orchestration.py # payment_intents, payment_methods (tokens only), # subscriptions, subscription_events, # webhook_idempotency_keys with (provider, event_id) unique

What's already wired

PCI scope minimization by construction. Generated code never persists PAN. The payment_methods table stores only processor vault tokens (Stripe pm_*, Paddle subscription IDs, etc). The pci_scope.md doc enumerates which paths handle cardholder data and which don't, so your QSA can verify scope from the codebase.

Region-aware provider routing. A payment_provider_for_region config flag maps country code to provider — NG to Paystack, EU to iDEAL, US to Stripe. Add or override per-blueprint without touching code.

Webhook idempotency. webhook_idempotency_keys table with (provider, event_id) unique index. Replay the same event three times and the handler returns 200 with no double-effect.

SCA / 3DS handling. When the processor returns requires_action, the API returns the redirect URL plus status. Client polls /intents/{id}/status until succeeded or failed. The flow that's easy to implement wrong.

Subscription lifecycle. Start, pause with proration, resume, cancel-at-period-end vs immediate, dunning (three retry attempts on failed renewal then suspend). Generated as code, not as Stripe-dashboard buttons.

Per-tenant key isolation. Workspace owners configure their own Stripe / Paddle / Paystack / Flutterwave keys via IntegrationCredential. Generated code reads them from there — never from app-level env, never hardcoded.

Refund flow. POST /payments/refunds with full + partial refund support, audit trail wired to the audit infrastructure.

What you don't have to argue with your QSA about

"Is PAN persisted anywhere?" — No. Only processor vault tokens. Provable via pci_scope.md + grep on the codebase.

"What's your CDE boundary?" — Mapped in network_segmentation.md to the specific services that handle cardholder data.

"How are network segmentation controls enforced?" — Generated IaC checklist references the security groups / VPC / firewall rules that isolate the CDE.

"What's your SAQ?" — saq_a_attestation.md is the draft. SAQ-A applies because PAN never touches your servers.

"What's your ASV scan cadence?" — quarterly_scan_runbook.md documents the schedule + tooling.

"Webhook handling for chargebacks / disputes — show me the audit trail." — audit_events table with hash chain + replay API (audit infrastructure ships in the same bundle).

See the payment orchestration feature page for the technical detail of the payment generator.

See the e-commerce industry page for retail-vertical positioning.

See the financial services industry page for fintech / banking positioning including PSD2 + Open Banking.

See the compliance frameworks page for the full PCI-DSS artifact pack contents.

A payment application your QSA can sign off on before your first transaction

What lands in your output bundle

What's already wired

What you don't have to argue with your QSA about

Stacks supported

Pricing

Related

Generate the codebase.

A payment application your QSA can sign off on before your first transaction

What lands in your output bundle

What's already wired

What you don't have to argue with your QSA about

Stacks supported

Pricing

Related

Generate the codebase.