HAMRA processes payments through fully-redirect hosted checkouts. This is the simplest possible PCI-DSS posture and the one the PCI Council recommends for SaaS businesses that don't have a hardware reason to capture cards directly.
What this means in practice
When you pay HAMRA, your card data never touches HAMRA's servers, databases, logs, or staff. The flow is:
1. You click Subscribe on hamraofficial.com.
2. We create an order/checkout session via the gateway's API (Razorpay for India, Dodo Payments for international).
3. You are redirected to the gateway's own hosted checkout page (or a gateway-hosted iframe).
4. You enter card details on the gateway's domain. The gateway tokenizes the card.
5. The gateway returns a payment ID back to us via webhook. We store the payment ID, not the card.
At no point in this flow does any payment card data — PAN, CVV, expiry — pass through our infrastructure.
SAQ scope
Because we use exclusively gateway-hosted payment pages and never see card data, HAMRA's PCI-DSS scope is SAQ-A (the smallest possible self-assessment questionnaire). SAQ-A applies to merchants who:
- Outsource all card-data handling to a PCI-DSS-validated third-party service provider.
- Never store, process, or transmit card data themselves.
- Have no electronic storage of card data.
We meet all three criteria.
Our gateway certifications
We use two payment service providers, both with current PCI-DSS Level 1 certifications (the highest):
- Razorpay for INR payments — PCI-DSS Level 1, RBI-licensed.
- Dodo Payments for international payments — PCI-DSS Level 1, multi-jurisdiction tax compliance.
You can verify their certifications directly with each vendor.
What HAMRA does store
We retain only what's required for accounting and customer-service purposes:
- Gateway payment ID (e.g.
pay_xxxfor Razorpay). - Order ID and subscription ID.
- Amount, currency, status, timestamp.
- The plan and billing period associated with the payment.
None of these can be used to charge a card. They reference the gateway's tokenized records.
What HAMRA does NOT store
- Full primary account number (PAN).
- CVV / CVC.
- Card expiry date.
- Track data, PIN, or PIN block.
- Customer-facing card images or document scans.
Reporting a payment-security concern
If you find what looks like a payment-flow vulnerability, please follow the security disclosure policy and email security@hamraofficial.com.
For card-data concerns specific to a transaction, contact your card issuer first — they have processes for disputing transactions that don't involve us at all.