PCI DSS Compliance Statement
How Lilyera handles payment data securely.
Lilyera uses PayPal Checkout, including PayPal Wallet and Hosted Card Fields, to handle online payments. We do not process or store raw cardholder data such as the full card number, CVV, or expiration date.
Overview
Sensitive payment information is collected and transmitted directly to PayPal, a PCI DSS Level 1-certified payment processor.
Our payment flow is designed so that cardholder data remains within PayPal's hosted environment rather than our application servers.
Payment Flow
- Customers choose PayPal Wallet or Hosted Card Fields during checkout.
- PayPal manages tokenization, authorization, and settlement of the payment.
- Lilyera stores non-sensitive metadata only, such as card brand, last four digits, PayPal order or capture IDs, and transaction status.
Data Storage and Security
- We never store full PAN, CVV, track data, or expiration dates.
- Stored payment metadata is limited to non-sensitive transaction references.
- Communication with PayPal is protected via HTTPS and modern TLS.
- Operational order data is protected through access controls and secured infrastructure.
PCI Responsibility
Lilyera is responsible for protecting order metadata, customer accounts, and secure system integrations.
PayPal is responsible for securely processing and storing cardholder data as a PCI DSS Level 1-certified provider.
Compliance Scope
Because we do not handle raw cardholder data directly:
- We align with the reduced PCI scope typically associated with SAQ A.
- This helps lower compliance overhead while maintaining strong payment security.
Last updated: March 17, 2026