Home
About
Company Overview Our Team Careers
Core Pillars
Cybersecurity Trust & Resilience AI Trust & Governance AI Security & Assurance Code Trust & Secure Digital Delivery
Frameworks
NS-CMMF NS-AIGF NS-AISCA NS-CTAF
Platforms
Cybersecurity Maturity Platform AI Security Assessment Platform
Solutions
Managed Detection & Response Payment Security & DPI Digital Identity Financial Inclusion Post-Quantum Cryptography
Paxley Insights Contact
Request a briefing →
Domain-Specific Solution · S2

Payment Security & Digital Public Infrastructure

Security advisory and assurance for payment systems, real-time payment infrastructure and digital public infrastructure — with practitioner-level expertise in Mojaloop, Tazama, COMESA, PCI DSS, SWIFT CSP and CBDC deployments across Africa, Asia and the Middle East.

MojaloopTazama · COMESA
PCI DSSv4 Certified
SWIFTCSP Advisory
CBDCSecurity Advisory
DPIStandards Coverage
Platforms Mojaloop · Tazama · COMESA · OpenG2P · Instant Payment Rails Standards PCI DSS v4 · SWIFT CSP · ISO 20022 · Open Banking Security Coverage CBDC Security Advisory · RTGS · Cross-Border Payments · DPI Regions Africa · Asia · Middle East · Pacific · Emerging Market DPI Testing Penetration Testing · Threat Modelling · API Security · HSM Review Aligned BIS CPMI · FSB · FATF · Central Bank Payment Regulations Delivery Founder-Led · Practitioner-Experienced in Live Payment Systems Platforms Mojaloop · Tazama · COMESA · OpenG2P · Instant Payment Rails Standards PCI DSS v4 · SWIFT CSP · ISO 20022 · Open Banking Security Coverage CBDC Security Advisory · RTGS · Cross-Border Payments · DPI Regions Africa · Asia · Middle East · Pacific · Emerging Market DPI Testing Penetration Testing · Threat Modelling · API Security · HSM Review Aligned BIS CPMI · FSB · FATF · Central Bank Payment Regulations Delivery Founder-Led · Practitioner-Experienced in Live Payment Systems
Security at the payment infrastructure layer

Most payment security engagements focus on the application layer — PCI DSS compliance, penetration testing of payment portals, API security reviews. What they rarely address is the infrastructure layer: the real-time settlement rails, the transaction monitoring platforms, the interoperability frameworks and the central bank digital infrastructure that modern payment systems are built on. Those layers carry systemic risk that application-layer security cannot mitigate.

Nucleus Systems has practitioner-level expertise in the open-source DPI payment stack deployed across Africa, Asia and the Middle East — including direct experience with Mojaloop (the Level One Project real-time payments platform), Tazama (open-source transaction monitoring for financial crime detection), and the COMESA regional payment framework. Our practitioners have worked inside these systems, not just assessed them from the outside.

We combine that infrastructure expertise with NS-CMMF maturity methodology and PCI DSS, ISO 20022, and SWIFT CSP compliance advisory — delivering security programmes that address both the technical architecture of the payment system and the institutional governance that regulates it.

Open-Source DPI Expertise
Mojaloop · Tazama · COMESA — inside knowledge
Our practitioners have direct, hands-on experience with the open-source payment infrastructure frameworks being deployed at scale across Africa and Asia. We know their architecture, their trust boundaries, and their specific threat model — not from documentation, but from working in and around these systems.
Regulatory Breadth
PCI DSS v4 · ISO 20022 · SWIFT CSP · CBDC guidance
Payment infrastructure sits at the intersection of multiple overlapping regulatory frameworks. We advise across PCI DSS v4, ISO 20022 security requirements, SWIFT Customer Security Programme, central bank digital currency security standards, and the emerging DPI regulatory frameworks being developed by regional bodies.
Regional Focus
Africa · Asia · Middle East payment ecosystems
We operate where the DPI payment transformation is actually happening — sub-Saharan Africa, East Africa, West Africa, South Asia and the Gulf. Our team understands the regulatory environment, the threat landscape, and the operational constraints of payment operators in these markets.

Services

From PCI DSS compliance programmes to central bank CBDC security architecture — covering the full payment security landscape at both the system and infrastructure layer.

Payment System Security Assessment

Comprehensive security assessment of payment system architecture against PCI DSS v4, ISO 20022 security requirements, and applicable regulatory frameworks. Covers application, API, infrastructure and governance layers.

Mojaloop Platform Security Review

Purpose-built security assessment for Mojaloop deployments — covering the switch architecture, participant API security, settlement layer, account lookup service, and operator governance controls. Based on direct platform expertise, not generic API security tooling.

Tazama Transaction Monitoring Security

Security assessment of Tazama deployments for financial crime detection infrastructure — covering data ingestion pipelines, rule engine security, alert management, and integration with core payment platforms. Threat model focused on insider risk and data integrity.

Digital Public Infrastructure Security Advisory

Security advisory for DPI deployments — payment rails, identity systems, and data exchange infrastructure. Architecture review, threat modelling, and governance framework design for government and central bank DPI programmes.

Real-Time Payment Security Architecture

Security architecture review and design for real-time payment systems — including settlement finality controls, fraud detection integration, participant onboarding security, and API gateway hardening for high-throughput payment rails.

Financial Crime & Fraud Risk Assessment

Risk assessment of financial crime controls — AML transaction monitoring effectiveness, fraud detection coverage gaps, sanctions screening, and correspondent banking risk. Aligned to FATF recommendations and regional regulatory requirements.

SWIFT Customer Security Programme (CSP)

Assessment and advisory for SWIFT CSP compliance — covering all mandatory and advisory controls in the Customer Security Controls Framework (CSCF). Deliverables include self-attestation evidence packages and gap remediation roadmaps.

Central Bank Digital Currency (CBDC) Security Advisory

Security architecture and risk advisory for CBDC programmes — covering wholesale and retail CBDC models, distributed ledger security, participant access controls, privacy-preserving design, and the regulatory security obligations emerging from BIS and IMF CBDC guidance.

Standards & Framework Coverage

Every engagement is scoped against the regulatory and standards obligations applicable to the specific payment infrastructure and jurisdiction.

PCI DSS v4
 Full PCI DSS v4 assessment capability — Requirements 1–12, SAQ and ROC scoping, compensating controls design, and QSA-ready evidence packages. Aligned to the v4 shift toward customised implementation and continuous compliance monitoring.
SWIFT CSCF
 SWIFT Customer Security Controls Framework (CSCF) advisory for banks and payment operators — mandatory controls (Objectives 1–3) and advisory controls (Objectives 4–7). Self-attestation preparation, evidence management, and independent assessment advisory.
ISO 20022 Security
 ISO 20022 migration security advisory — covering the security implications of the SWIFT MT to MX migration, structured data validation, richer payment data governance, and the fraud risk changes that accompany ISO 20022 adoption.
DPI & Regional Frameworks
 Coverage of DPI security standards including G20 DPI principles, GovStack security building blocks, GSMA mobile money security guidelines, and regional frameworks including COMESA payment system requirements and East African Community financial integration security standards.
Parent Pillar
Cybersecurity Trust & Resilience
The full Pillar 1 service model, of which payment security is a specialist domain application.
Explore Pillar 1 →
Underlying Framework
NS-CMMF
Payment security assessments are anchored to NS-CMMF for maturity context and institutional governance gap analysis.
Explore NS-CMMF →
Related Solution
Verifiable Credentials & Digital Identity
Digital identity security is the adjacent domain — payment systems increasingly depend on verifiable credential infrastructure.
Explore Digital Identity →

Speak with a practitioner who knows your payment infrastructure from the inside

Whether you're running Mojaloop, preparing for PCI DSS v4, deploying a CBDC programme, or assessing SWIFT CSP compliance — book a call with a specialist who has worked in and around these systems.

Book a specialist call Explore Pillar 1 →