Compliance, Security & Data Ownership

How is card data kept safe (StoredPaymentMethod tokens, never raw card data)?

Saved payment methods are stored as StoredPaymentMethod records that hold only the provider's opaque token and safe display info (brand, last four, expiry) — never the raw PAN, CVV, or full card details. Charging uses the token via the gateway; the sensitive data lives with the PCI-compliant provider, not in Okommerce. Cards in use by an active subscription are also protected from…

Saved payment methods are stored as StoredPaymentMethod records that hold only the provider's opaque token and safe display info (brand, last four, expiry) — never the raw PAN, CVV, or full card details. Charging uses the token via the gateway; the sensitive data lives with the PCI-compliant provider, not in Okommerce. Cards in use by an active subscription are also protected from casual removal. This token-only design is the core of keeping card data safe and keeping the platform's PCI exposure minimal.

← Previous

What does PCI token-only card storage mean and how is it implemented?

What does "compliant by default" mean versus bolting compliance on later?