Skip to main content

PCI-DSS posture

Last updated 2026-05-15

HAMRA processes payments through fully-redirect hosted checkouts. This is the simplest possible PCI-DSS posture and the one the PCI Council recommends for SaaS businesses that don't have a hardware reason to capture cards directly.

What this means in practice

When you pay HAMRA, your card data never touches HAMRA's servers, databases, logs, or staff. The flow is:

1. You click Subscribe on hamraofficial.com.

2. We create an order/checkout session via the gateway's API (Razorpay for India, Dodo Payments for international).

3. You are redirected to the gateway's own hosted checkout page (or a gateway-hosted iframe).

4. You enter card details on the gateway's domain. The gateway tokenizes the card.

5. The gateway returns a payment ID back to us via webhook. We store the payment ID, not the card.

At no point in this flow does any payment card data — PAN, CVV, expiry — pass through our infrastructure.

SAQ scope

Because we use exclusively gateway-hosted payment pages and never see card data, HAMRA's PCI-DSS scope is SAQ-A (the smallest possible self-assessment questionnaire). SAQ-A applies to merchants who:

  • Outsource all card-data handling to a PCI-DSS-validated third-party service provider.
  • Never store, process, or transmit card data themselves.
  • Have no electronic storage of card data.

We meet all three criteria.

Our gateway certifications

We use two payment service providers, both with current PCI-DSS Level 1 certifications (the highest):

  • Razorpay for INR payments — PCI-DSS Level 1, RBI-licensed.
  • Dodo Payments for international payments — PCI-DSS Level 1, multi-jurisdiction tax compliance.

You can verify their certifications directly with each vendor.

What HAMRA does store

We retain only what's required for accounting and customer-service purposes:

  • Gateway payment ID (e.g. pay_xxx for Razorpay).
  • Order ID and subscription ID.
  • Amount, currency, status, timestamp.
  • The plan and billing period associated with the payment.

None of these can be used to charge a card. They reference the gateway's tokenized records.

What HAMRA does NOT store

  • Full primary account number (PAN).
  • CVV / CVC.
  • Card expiry date.
  • Track data, PIN, or PIN block.
  • Customer-facing card images or document scans.

Reporting a payment-security concern

If you find what looks like a payment-flow vulnerability, please follow the security disclosure policy and email security@hamraofficial.com.

For card-data concerns specific to a transaction, contact your card issuer first — they have processes for disputing transactions that don't involve us at all.