# How We Protect Your Payment Information
CaseConnect takes payment security seriously. We use industry-leading security practices to ensure your credit card and financial information is protected.
## What We DON'T Store
**CaseConnect does NOT store your actual credit card numbers.** Here's what we never store:
- ❌ **Full credit card numbers** - Never stored in our database
- ❌ **CVV/CVC security codes** - Never stored anywhere (PCI requirement)
- ❌ **Complete cardholder details** - Only what's needed for billing
- ❌ **Any data that could be used fraudulently**
## What We DO Store
We only store safe, non-sensitive reference information:
- Payment Token: "pm_1A2B3C4D5E6F" (reference ID, not your card)
- Card Brand: "Visa" or "Mastercard"
- Last 4 Digits: "4242" (for display purposes only)
- Expiration: Month and year
**What you see in your account:** "Visa •••• 4242 (Exp: 12/2025)"
This information cannot be used to make fraudulent charges.
## How Payment Processing Works
### When You Add a Card
1. **You enter your card details** in a secure form
2. **Stripe.js encrypts the data** in your browser
3. **Card details go directly to Stripe** - they never touch our servers
4. **Stripe validates and creates a token** (e.g., "pm_abc123")
5. **We receive only the token** and store it as a reference
6. **Your full card is stored encrypted** in Stripe's secure vault
**Key Point:** Your full credit card number never passes through or is stored on CaseConnect's servers.
## Our Payment Partner: Stripe
We use **Stripe** as our payment processor, one of the most trusted names in online payments.
### Stripe's Security Credentials
- ✅ **PCI DSS Level 1 Certified** - The highest level of payment security compliance
- ✅ **Bank-level encryption** - AES-256 encryption at rest
- ✅ **24/7 fraud monitoring** - Real-time threat detection
- ✅ **14+ years** without a major security breach
Stripe processes billions of dollars in payments annually for companies like Amazon, Google, Shopify, and millions of businesses worldwide.
## Security Features
### 1. Tokenization
Instead of storing your card number, we store a token like "pm_1A2B3C4D5E6F" that references your card in Stripe's vault. This token:
- Cannot be used to retrieve your full card number without API access
- Can be instantly revoked if compromised
- Is meaningless to anyone who doesn't have our Stripe API credentials
### 2. Encryption Everywhere
- **In your browser**: Stripe.js encrypts card data before sending
- **In transit**: HTTPS/TLS 1.2+ encryption for all communication
- **At rest**: Stripe uses AES-256 encryption in hardware security modules
### 3. No CVV Storage
CVV/CVC codes are:
- Used once for validation when you add a card
- Never stored anywhere (prohibited by PCI-DSS)
- Immediately discarded after verification
### 4. Fraud Detection
Stripe's advanced fraud detection includes:
- Machine learning models analyzing billions of transactions
- Real-time risk scoring
- Automatic blocking of suspicious patterns
## What If There's a Security Breach?
### If CaseConnect Database Compromised
**What an attacker would get:**
- Payment tokens (useless without API keys)
- Last 4 digits of cards (not enough to process payments)
- Card brands and expiration dates (non-sensitive)
**What an attacker would NOT get:**
- ❌ Full card numbers
- ❌ CVV codes
- ❌ Ability to charge your cards
**Your protection:** No actual card data would be exposed.
## Your Rights & Privacy
### When You Delete Your Account
When you delete your CaseConnect account:
1. All payment methods are detached from Stripe
2. Local payment references are deleted
3. Tokens are revoked and become invalid
4. Historical transaction data retained per legal requirements
5. Personal identifying information removed from payment records
## Managing Your Payment Methods
### In Your Account Dashboard
You can securely:
- ✅ View saved payment methods (last 4 digits, brand, expiration)
- ✅ Add new payment methods
- ✅ Set a default payment method
- ✅ Remove old or expired cards
- ✅ View payment history
- ✅ Download invoices and receipts
### What You'll See
For each saved payment method:
- Card brand (Visa, Mastercard, Amex, etc.)
- Last 4 digits (e.g., •••• 4242)
- Expiration date (MM/YYYY)
- Whether it's your default card
### What You Won't See
You will never see:
- Full card number (not stored)
- CVV code (never stored)
## Frequently Asked Questions
**Is it safe to save my credit card?**
Yes. We use Stripe's secure tokenization, which is the same technology used by Apple Pay, Google Pay, and major banks. Your actual card number is never stored on our servers.
**Can CaseConnect staff see my full card number?**
No. Even our administrators cannot view full card numbers. We only see the same information you see: last 4 digits, brand, and expiration.
**What if my card expires?**
Update your payment method in your account settings before the expiration date. You'll receive email reminders when a card is about to expire.
**How do I remove a saved card?**
Go to Account Settings → Payment Methods → Select the card → Click "Remove". Removed payment methods are immediately deleted from our system.
## Summary
**Your payment security at CaseConnect:**
✅ **No credit card numbers stored** - Only tokens and last 4 digits
✅ **PCI Level 1 processing** - Through Stripe's certified platform
✅ **Bank-level encryption** - AES-256 at rest, TLS 1.2+ in transit
✅ **Tokenization** - Safe references instead of actual cards
✅ **Fraud protection** - 24/7 monitoring and machine learning
✅ **Your control** - Add, remove, or update cards anytime
We've designed our payment system with your security as the top priority, partnering with industry leaders and following best practices to keep your financial information safe.
**For more technical details**, see our full documentation at `/var/docs/credit_card_storage_security.md`