PCI Compliance Statement

1. Card Data Never Touches Our Servers

We use PaymentCloud’s CollectJS to tokenize cards inside the bidder’s browser. The PAN (full card number), CVV, and expiration are submitted directly from the bidder’s browser to PaymentCloud’s servers. Our servers receive only a single-use payment token, which we exchange for a Customer Vault id used for future merchant-initiated charges.

This places our environment in PCI DSS SAQ-A scope — the lightest assessment, applicable to merchants who fully outsource cardholder data handling.

2. What We Store

• Card brand (Visa, Mastercard, etc.);
• Last 4 digits of the card;
• Expiration month and year;
• PaymentCloud Customer Vault id (a token, not a card number);
• Successful transaction ids for our internal records.

3. Encryption At Rest

Sensitive seller PII (bank account numbers, routing numbers) is encrypted at rest with AES-256-GCM via per-deployment keys. The key never leaves the application secret manager.

4. Network Security

• TLS 1.2+ everywhere;
• HSTS, secure cookies, strict same-site;
• Webhook signature verification on PaymentCloud and streaming events;
• Rate limiting on auth and high-write endpoints.

5. Audit & Logging

Admin actions (refunds, voids, account suspensions) are logged. Logs are retained per our standard retention schedule.

6. Reporting Security Issues

Email trust@indiecomicslive.com with reproduction steps. Please don’t test against live data.