Are my payments secure?

Payment infrastructure

All payments are processed by Stripe (stripe.com/security):

• PCI-DSS Level 1 (highest tier).
• SOC 1 Type II + SOC 2 Type II.
• ISO 27001.
• 256-bit AES at rest, TLS 1.3 in transit.

What we see vs. what Stripe sees

• AICT sees: card brand (Visa/MC/Amex), last 4 digits, expiry, billing email, country.
• Stripe sees: full PAN, CVV. We never receive these — your browser tokenizes them via Stripe.js before any data reaches our servers.

What's stored on AICT

• Stripe customer ID (cus_xxx).
• Subscription status / current plan.
• Invoice history (PDFs hosted by Stripe).
• A non-reversible token to charge you on renewals (also a Stripe object, not a card number).

If our database leaked tomorrow, no card data would be exposed because we don't have any.

3D Secure (SCA)

For EU users, we enforce Strong Customer Authentication. Most Visa/MC issuers handle this transparently; you may occasionally see a bank verification step on first charge.

Suspicious activity

We use Stripe Radar to flag anomalies:

• Sudden geographic shifts.
• Multiple failed CVV attempts.
• Mismatched billing/IP country.

Suspicious payments are held for review. You'll see "Payment pending verification" — typically clears in 4 hours.

Refunds + chargebacks

Full refund window 14 days (see Refund policy). If you dispute a charge with your bank, please contact us first — we resolve 95% of disputes without chargeback fees.

Reporting security issues

Found a vulnerability? Email [email protected] (PGP key at /security.txt). We have a disclosure program with bounties up to $5,000 for critical issues.