Bounded mandates
Capped by amount, merchant, and expiry, bound to the principal. An over-cap or wrong-merchant request is rejected at verification.
Trust & compliance
Trust is the product.
Bounded mandates, a signed dispute trail, an append-only audit chain, and EU-native compliance. Money settles to your own account; we never hold it.
What you can rely on
Cryptographic, not "trust us."
Four-signature trail
Signed offer (RFC 9421), signed mandate (SD-JWT VC), proof of possession (RFC 9449), and a signed receipt: proof of authorization on every payment.
Append-only audit chain
Every event is sequenced and prev-hash chained, with a signed chain-head. Tamper-evident, exportable for auditors.
EU-native
Built for European rules.
PSD2 SCA
You enrol a card once with a real bank check (3DS / strong customer authentication) before any agent can pay.
GDPR / AVG
OID4Pay is the controller for your wallet data; access, rectification, erasure, and the other data-subject rights are served from the wallet.
Not a PSP, not a bank
An authorization and trust layer on top of a processor (Stripe today). Money settles to your own account; OID4Pay holds no funds and is not stored value.
EUDIW-ready
EU Digital Identity Wallet verification (age and attribute proofs over OpenID4VP) is on the roadmap.
Security
Coordinated disclosure under RFC 9116: see /.well-known/security.txt and report to security@oid4pay.com. The protocol enforces an
algorithm whitelist (EdDSA / ES256), sender-constrained tokens (DPoP), and rejects alg=none. See the security page and the protocol spec.
Privacy: see the privacy statement. Roadmap items (EUDIW, per-merchant unlinkability) are labelled as coming and are not claimed as available today.