Payment Card Security

We've designed billing so that we never handle your raw card data. Payment card details are entered directly on our payment processors' own hosted pages — full card numbers never touch our servers or your connection to us.

Part of NDEVR's compliance & conformity program · Processors: see sub-processors.

1. What we never see

When you buy a paid product or subscription, card entry happens on the hosted page of our payment processor (Stripe and/or PayPal). We do not store, process, or transmit full card numbers, CVV/CVC codes, or magnetic-stripe data — none of it reaches our application.

2. What we store

From the processor we keep only non-sensitive references:

  • the processor's customer ID,
  • a vaulted payment-method token (held by the processor, not the raw card),
  • masked display fields — card brand, last four digits, and expiry month/year,
  • a transaction ledger (amount, currency, status) and subscription status.

These let us show "Visa ending 4242" and manage your subscription without ever holding card data.

3. PCI scope

Because all cardholder data entry is fully outsourced to PCI DSS Level 1 certified processors, OWL falls in the simplest PCI DSS scope (SAQ A) — the self-assessment level for merchants who outsource all card handling to validated third parties.

To be precise: this describes our scope and architecture, not a formal PCI DSS certification of NDEVR. Our processors (Stripe, PayPal) are the PCI DSS Level 1 certified parties that handle the card data.

4. Questions

Billing-security questions: security@ndevr.org. How payment data is handled overall is described in the privacy policy.