About Veliro

The credential layer, rebuilt as infrastructure.

Veliro is built to Level 1 PCI service-provider scope, for any merchant that wants its credential estate first-party. Direct integrations with Mastercard, Visa, and American Express token services, exposed as a single API surface that any engineer can integrate. No dedicated payments team required.

Founded 2026HQ · San FranciscoBuilt to PCI DSS Level 1Direct to network: MDES · VTS · AETS

Where Veliro sits

Topology · credential boundary
3 networks · 1 vault key · any PSPSwipe to view topology
VISAVTSMASTERCARDMDESAMERICAN EXPRESSAETSDIRECT INTEGRATIONCUSTOMER‑CONTROLLED VAULT BOUNDARYVelirovault · lifecycle · routingPCI Level 1 · tenant keysingle APIYour applicationportable credentialsAcquirer of choicedecoupled · your choice

3 direct networks · 1 vault boundary · acquirer remains a customer decision

Why we exist

Network tokenization shipped a decade ago. Most teams are still leasing it back.

The card networks built tokenization as a primitive: an ownership-grade alternative to raw PANs. In practice, almost no merchant integrated directly. Veliro exists to close that gap.

Owning the credential layer changes three things at once: portability, attribution, and resilience.

  • Portability · move PSPs without re-enrolling

    Your network tokens belong to your merchant identifier on the network, not to a processor’s framework. Switch acquirers, add a backup, or expand into new markets without telling a customer to re-add their card.

  • Attribution · keep the credential history

    Every cryptogram, lifecycle event, and routing decision logs against your vault, not somebody else’s. Finance reconciles, compliance audits, engineering debugs from one trail.

  • Resilience · one outage, not the whole estate

    When a processor pauses, your credential estate does not pause with it. Route across PSPs, fall back, exit a contract without a migration project on the critical path.

Operating principles

The principles and values that shape everything we build.

Four commitments at the core of how we work, and the standard we hold ourselves to.

  • Direct network integrations, only.

    Every token Veliro provisions is enrolled with the issuing network’s own tokenization system. We do not wrap a processor’s token product, and we do not run a parallel scheme.

  • One tenant-isolated vault per customer.

    Each customer’s credentials live in a single tenant-isolated vault, with the data encryption key bound to your tenant. No shared cryptographic state and no cross-tenant lookup.

  • The credential estate stays portable.

    Switching acquirers, adding networks, or changing PSPs does not require re-tokenizing the cardholder. Network tokens belong to the merchant of record. In our model, that means they belong to you.

  • Numbers, not adjectives.

    Audit status is shared directly. Lifecycle webhooks are signed and replayable. The contract is the contract, in sandbox, in production, and in writing.

The company, in writing

Built to Level 1 PCI service-provider scope from day one.

The vault, the lifecycle service, and the direct network integrations are the company’s only product.

Veliro is the credential boundary between the card networks and the application stack: the audited, customer-tenanted layer where tokens live, lifecycle events are signed, and routing decisions are made.

Not a card network, not an acquirer, not a payment processor. The system of record for the credential, and nothing else. Everything above the vault is yours to choose.

Compliance posture

The artifacts that matter to procurement, with current status.

Veliro is the audited boundary, and our formal attestations are in progress on the roadmap below. Card data never enters the customer environment when integrated via Secure Fields; the hosted iframe keeps merchant scope at SAQ-A, and our scope sits one tier higher. Current status and audit timing live in the trust center.

Compliance certifications, scope, status, and evidence
CertificationScopeStatusEvidence
SOC 2 Type IISecurity, availability, confidentiality · 12-month audit windowIn progress · observation window underwaySOC 2 status
PCI DSS v4.0 Level 1Vault, tokenization, cryptogram servicesScope locked · QSA assessment in progressPCI scope
ISO/IEC 27001:2022ISMS · keys, vault tenancy, incident responseISMS implemented · certification underwayTrust center
Direct network integrationMDES, VTS, AETS · not a reseller or BIN sponsorMastercard · Visa · Amex · in progressSecurity posture
SOC 2 Type II
ScopeSecurity, availability, confidentiality · 12-month audit window
StatusIn progress · observation window underway
EvidenceSOC 2 status
PCI DSS v4.0 Level 1
ScopeVault, tokenization, cryptogram services
StatusScope locked · QSA assessment in progress
EvidencePCI scope
ISO/IEC 27001:2022
ScopeISMS · keys, vault tenancy, incident response
StatusISMS implemented · certification underway
EvidenceTrust center
Direct network integration
ScopeMDES, VTS, AETS · not a reseller or BIN sponsor
StatusMastercard · Visa · Amex · in progress
EvidenceSecurity posture

Trust centerSOC 2 statusPCI scopeISO 27001 statusSubprocessors

Where we work

Remote-first, across three timezones.

We’re a remote-first team, with people across the US, European, and APAC timezones so each network is covered during its business hours.

  • San Francisco, CA

    Headquarters
    Timezone
    UTC−07:00PT

  • Dublin, Ireland

    European team
    Timezone
    UTC+00:00GMT

  • Sydney, Australia

    APAC team
    Timezone
    UTC+10:00AEST

Build the credential layer.

We’re hiring senior engineers across the four teams that build the credential layer.

4Networks engineering3Vault infrastructure2Platform reliability2Solutions engineering
View open rolesBack to platform