HAHA VENDING

Payment Security & PCI Compliance

支付安全与PCI合规性说明

HAHA VENDING consistently maintains cardholder data security as a core compliance priority. Our digital systems and integrated smart vending machine architectures are engineered, deployed, and managed to adhere to the Payment Card Industry Data Security Standard (PCI-DSS) and applicable hardware security specifications, helping support payment security across the data lifecycle.

HAHA VENDING 始终将持卡人数据安全置于核心合规优先级。本平台的数字化系统及无人零售智能柜机架构在设计、部署与数据流转全生命周期中遵循支付卡行业数据安全标准(PCI-DSS)及相关硬件安全规范,以支持支付数据生命周期中的安全保障。

1. Hardware Terminal Layer: PCI PTS POI 6 Physical Security Certification

1. 硬件终端层:PCI PTS POI 6 物理安全认证

The physical payment hardware modules integrated within our smart vending systems have successfully completed formal testing and received official approval from the PCI Security Standards Council (PCI SSC), addressing sensitive data interception risks at the physical and firmware layers.

本智能柜机系统所集成的物理支付硬件模块均通过了支付卡行业安全标准委员会(PCI SSC)的官方测试与合规批准,以应对物理层和基础固件层的敏感数据拦截风险。

Official identification / 官方认证设备与编号:

The endpoint payment hardware terminals integrated into our systems, including the PAX IM30 series, are officially certified to meet PCI Device Security Requirements POI 6 (PCI SSC PTS Approval Number: 4-40372).

系统配备的端点支付硬件终端(包括 PAX IM30 系列)均已通过 PCI PTS Device Security Requirements POI 6 安全标准认证(官方合规批准号:4-40372)。

Encryption mechanisms / 加密与密钥管理:

The hardware terminals natively support online and offline PIN entry via touch screen and leverage advanced key management mechanisms, including TDES and AES cryptographic algorithms under DUKPT and MK/SK architectures, to help secure data at the immediate point of card interaction.

硬件终端原生支持线上与线下 PIN 码安全输入(Touch Screen PIN Entry),并采用先进的密钥管理机制(基于 DUKPT、MK/SK 架构下的 TDES 与 AES 强加密算法),以帮助确保数据在物理触卡瞬间受到高强度保护。

SRED technology implementation / 高级安全读取(SRED):

The terminal fully implements Secure Reading and Exchange of Data (SRED) functions. Sensitive cardholder account data is encrypted immediately upon being read at the hardware layer and is not transmitted out of the hardware boundary in clear text.

终端全面启用 SRED(安全读取与交换数据)技术。持卡人敏感账户信息在读取瞬间即在硬件底层完成加密,不以明文形式流出硬件边界。

2. Clearing Layer: PCI DSS v4.0.1 Level 1 Platform Compliance

2. 交易清算层:PCI DSS v4.0.1 Level 1 服务商履约

The routing, authorization verification, and clearing processes of transactions are independently managed within the closed loops of globally certified Level 1 Service Providers, supporting the compliance of the Cardholder Data Environment (CDE).

本服务的交易路由、授权验证及清算流转过程,均独立交由通过合规审计的 Level 1 支付服务商(Service Provider Level 1)进行闭环处理,以支持持卡人数据环境(CDE)的合规性。

Adyen platform compliance / Adyen 全球支付平台验证:

Our core acquiring and checkout systems interface with Adyen N.V., including Checkout, Acquirer Module, and In Person Payment platform components. The platform has undergone a comprehensive onsite assessment by Qualified Security Assessor Foregenix Ltd (QSA 202-957), securing a COMPLIANT status under PCI DSS v4.0.1.

本平台核心收单与结账系统对接 Adyen N.V.(包含 Checkout、Acquirer Module、In Person Payment 等平台组件)。该平台已由合格安全评估机构 Foregenix Ltd (QSA 202-957) 进行现场全面审查,并获得 PCI DSS v4.0.1 下的 COMPLIANT 合规评级。

Universal Processing compliance / Universal Processing 支付体系验证:

Our payment infrastructure and refund support systems leverage UNIVERSAL PROCESSING. The platform has successfully completed an onsite compliance validation audit resulting in a Report on Compliance (ROC) conducted by atsec (Beijing) Information Technology Co., Ltd (QSA 205-668), maintaining its compliant status under PCI DSS v4.0.1.

本平台的日常支付基础服务与售后退款支持体系对接 UNIVERSAL PROCESSING。该平台已通过专业安全合规机构 atsec (Beijing) Information Technology Co., Ltd (QSA 205-668) 的现场合规性验证审计(ROC),维持 PCI DSS v4.0.1 下的合规状态。

Nayax IoT compliance / Nayax 物联网清算体系验证:

Our IoT transaction fulfillment channels interface with Nayax Ltd., which holds an official PCI DSS v4.0.1 Service Provider Level 1 ROC certificate of compliance issued by Qualified Security Assessor Yossi Trigger (QSA 206-357).

本系统的智能物联网清算渠道对接 Nayax Ltd.,该平台已取得由合格安全评估师 Yossi Trigger (QSA 206-357) 签发的 PCI DSS v4.0.1 Service Provider Level 1 ROC 合规证书。

3. Data Lifecycle and Omni-Channel Masking Matrix

3. 数据生命周期与全渠道脱敏矩阵

In accordance with the compliance conclusions of our partners’ official Reports on Compliance (ROC), our platform enforces a strict zero-local-retention approach for sensitive cardholder data and applies mandatory masking across relevant channels.

根据独立服务商合规报告(ROC)的安全结论,本平台在持卡人敏感数据方面执行严格的零本地留存原则,并在相关渠道实施强制脱敏技术。

Data Category / 数据类别Third-Party Processors / 支付服务商HAHA VENDING Systems / HAHA 系统Storage & PCI Scope / 物理留存状态
Clear PAN
完整银行卡号
Collected, transmitted, and cleared independently as independent controllers.Isolated; not accessed or retained by our systems or servers.No clear-text record in local or cloud persistent databases.
CVV/CVC & PIN Codes
CVV/CVC 与 PIN 码
Dynamically captured and securely routed for authorization verification.Not read by HAHA VENDING software or hardware.Destroyed from memory immediately after authorization; never retained.
Truncated PAN
已脱敏卡号
Masked segments may be transmitted for order fulfillment and reconciliation.Used only for fulfillment purposes (e.g. refund support, queries).Processed in volatile memory during active browser sessions.
Metadata & Expiration
对账元数据与到期日
Transmitted as encrypted metadata as part of reconciliation evidence.Recorded and stored as encrypted logs for historical merchant review.Managed under controlled encrypted storage with intranet segregation.

4. Network Transmission and Physical Boundary Security

4. 网络传输与物理边界安全

Our infrastructure and communication links implement compliance-aligned network-layer safeguards to help protect the integrity of the cardholder data environment.

本服务的基础设施与通信链路实施符合合规要求的网络层安全措施,以帮助保障持卡人数据环境的完整性。

  • Protocol decommissioning / 协议淘汰标准 (No SSL / Early TLS): Our digital infrastructure has decommissioned and disabled insecure legacy network protocols, including SSL, early TLS 1.0, and TLS 1.1.
  • Mandatory strong cryptography / 强加密传输 (TLS 1.2+): Network traffic communicating into or out of our environment over public networks is established through secure HTTPS channels using strong cryptography, including TLS 1.2 or higher, integrated with Cloudflare perimeter protections.
  • Intranet segregation / 生产数据库公网隔离: Core production databases are restricted to internal network access and do not open public network ports. Production and testing environments are isolated via network segments, with wireless networks disabled within the scoped environment.
  • Physical media protection / 数据物理介质安全笼托管: Physical storage media retaining operational metadata is subject to physical access controls. Persistent and backup media are housed within monitored and restricted secure physical cages inside cloud datacenters.

5. Continuous Security Testing and Organizational Governance

5. 持续性安全测试与组织治理体系

Our platform has integrated internal security auditing, vulnerability management, and organizational governance into a sustainable operational mechanism.

本平台已将内部安全审计、漏洞管理与组织治理流程纳入长期运营机制。

  • Operations auditing / 技术人员操作全时审计 (SQL Auditing): Manual execution of SQL statements by internal operations staff must be conducted through the auditing function built into our data management tools, supporting real-time tracking and helping prevent unauthorized privilege escalation.
  • Regular penetration testing / 定期外部高强度渗透测试: Our core clearing and fulfillment ecosystem undergoes regular external penetration testing and vulnerability scanning conducted by professional QSAs, with the latest comprehensive assessment concluded in December 2025.
  • Governance and incident response / 合规治理架构与安全事件预案: A dedicated internal Network and Data Compliance Leading Group coordinates cybersecurity and data safety compliance across the platform. We maintain a cybersecurity incident emergency response plan. In the event of an incident compromising system security, remediation will be activated, and affected users or merchants will be notified within statutory timelines through appropriate channels, such as email or system alerts.