Skip to content
POS+/
/
Vendor requirements

Vendor requirements

Learn about what's required before you can deploy your merchant app.

Overview

To go live with your app on a Castles device alongside the PXP payment application, you'll need to fill in an integrator / vendor requirements and attestation pack. This allow us to verify that your app complies with PCI DSS and PCI PTS POI requirements, and doesn't access, store, process, or transmit cardholder or sensitive authentication data (CHD/SAD).

Requirements

Vendor information

You'll need to supply the following vendor information:

  • Company name.
  • Application name.
  • Application version.
  • Contact name.
  • Contact email.
  • Phone.
  • Website.
  • Device model(s) supported.
  • Android version(s) supported.
  • SDK/API versions used.

Application technical summary

You'll need to attach or provide the following documents:

  • Vendor release Notes describing new or changed functionality.
  • Application data flow diagram showing all logical interfaces and network endpoints.
  • List of Android permissions requested by the app.
  • Details of any services, APIs, or broadcasts used.
  • Security testing report (automated static/dynamic code analysis or penetration test).
  • Cryptographic hash (SHA-256) of the release APK file.

Required vendor attestations

You'll need to attest to the following:

  • The application does not have any logical interface that allows the storage, processing, or transmission of clear-text cardholder or sensitive authentication data.
  • The application does not access the payment kernel, SRED, PIN entry, or card reader components of the Castles payment device.
  • The application has been subjected to security testing, and all identified vulnerabilities have been remediated prior to release.
  • A cryptographic hash (SHA-256) of the release APK has been provided to PXP for integrity verification.
  • The vendor maintains a documented Secure Software Development Life Cycle (SDLC) process that includes secure coding, peer review, and vulnerability management.
  • Any future updates will be accompanied by updated documentation, test results, and a new attestation.
  • The vendor consents to PXP performing independent verification and testing as part of the approval process.
  • The vendor agrees to notify PXP within 24 hours of any security incident related to the application.

Secure software standard

You'll need to tell us whether your application is validated against the PCI secure softward standard. If it is, you'll need to provide the SSC listing number, the version numbers matching the AoC and listing, and the PCI SSC-countersigned AoC.

Vendor signature

We'll ask you for a signture, alongside your name and title, the name of the company, and the date you're signing.

Submission checklist

Before you submit your pack, make sure you've included all of the following:

  • Vendor release notes.
  • Data flow diagram.
  • Security test report.
  • SHA-256 checksum of APK.
  • Signed attestation.
  • AoC (if applicable).
  • SDLC documentation.
©2026 PXP. PXP Registered Office: The Corn Mill - 1 Roydon Road - Stanstead Abbotts - Hertfordshire - SG12 8XL - United Kingdom Phone +44 2038850598. PXP Financial is Authorised By The Financial Conduct Authority And Our Financial Services Register Number is 504318.