PCI Compliance Statement.

CeletelPay designs, manufactures and deploys payment terminals that must meet strict international security standards before they are allowed to accept cards and digital wallets. This page summarises the certifications we hold, what they mean in practice, and how a merchant or acquirer can verify them.

1. Scope

This statement covers the Vega P1, Nova N3, Lyra Q2 and Orion T8 smart POS terminals, the CeletelPay secure vault (our cloud key-management service) and the Android SDK that merchants use to integrate checkout flows.

2. Certifications held

Every CeletelPay terminal ships certified against the following standards:

• PCI PTS v6 — the Payment Card Industry’s POI (Point of Interaction) standard for tamper resistance, secure key loading and firmware integrity.
• EMV Contact L1 & L2 — chip-card electrical interface and kernel behaviour.
• EMV Contactless L1 — NFC contactless interface, including MasterCard PayPass, Visa PayWave, Amex ExpressPay and Discover D-PAS.
• PBOC 3.0 — where China UnionPay processing is supported.
• SOC 2 Type II — for the CeletelPay secure vault and our back-office operations.

Vega P1 additionally carries biometric-specific certifications for its palm vein sensor. Lyra Q2 carries an FBI PIV / STQC certificate for its optional 508 DPI fingerprint sensor.

3. How cardholder data is handled

Card numbers, PIN blocks, and cryptograms never leave the tamper-active enclosure of the terminal in cleartext. All sensitive data is encrypted inside the secure element and then either (a) tokenised to the acquirer under DUKPT or P2PE, or (b) re-encrypted to the acquirer’s zone key. Our Android application layer — and therefore any ISV code running on the terminal — never sees PANs.

4. Firmware integrity

Every firmware release is signed with a hardware-protected code-signing key held inside a FIPS 140-2 Level 3 HSM. Terminals verify the signature at boot and reject any image that does not chain back to the CeletelPay root. A failed signature puts the device into a locked state until a certified technician can re-provision it.

5. Biometric data

Palm vein is outside the PCI scope, but we hold it to the same bar. Templates are one-way, encrypted at rest with AES-256 under a per-merchant key, and can never be exported as an image. See our Technology and Privacy pages for detail.

6. Merchant responsibilities

CeletelPay terminals help a merchant reach and maintain PCI DSS compliance, but they do not replace it. Merchants remain responsible for physical terminal security, training staff on tamper inspection, keeping firmware current, and completing their annual Self-Assessment Questionnaire (SAQ-B, SAQ-B-IP or SAQ-P2PE as applicable).

7. Verifying our certificates

Certificate numbers and expiry dates for every terminal are available on request. Acquirers and banks carrying out vendor due-diligence can email compliance@celetel.io to receive the current certification pack.

8. Reporting a security concern

If you believe you have discovered a security vulnerability in any CeletelPay product or service, please report it to security@celetel.io. We operate a responsible-disclosure programme and will acknowledge receipt within two business days.

Effective April 2026 · © CeletelPay, a Celetel brand