PCI DSS Compliance Statement
How Lilyera handles payment data securely.
Lilyera uses Flutterwave hosted checkout and other provider-hosted payment experiences made available through Flutterwave to handle online payments. We do not process or store raw cardholder data such as the full card number, CVV, or expiration date.
Overview
Sensitive payment information is collected and transmitted directly to Flutterwave and the provider-hosted payment surfaces Flutterwave makes available for eligible methods.
Our payment flow is designed so that cardholder data remains within hosted payment environments rather than our application servers.
Payment Flow
- Customers are redirected to Flutterwave hosted checkout to choose from the payment methods enabled for the active checkout currency.
- Flutterwave manages payment collection, authorization, and settlement for cards and other enabled payment methods.
- Lilyera stores non-sensitive metadata only, such as transaction or reference IDs, payment method, limited card metadata returned by the provider, and payment status.
Data Storage and Security
- We never store full PAN, CVV, track data, or expiration dates.
- Stored payment metadata is limited to non-sensitive transaction references.
- Communication with Flutterwave and backend payment verification endpoints is protected via HTTPS and modern TLS.
- Operational order data is protected through access controls and secured infrastructure.
PCI Responsibility
Lilyera is responsible for protecting order metadata, customer accounts, and secure system integrations.
Flutterwave and eligible provider-hosted payment surfaces are responsible for securely processing and storing cardholder data for the payment methods they handle.
Compliance Scope
Because we do not handle raw cardholder data directly:
- We align with the reduced PCI scope typically associated with SAQ A.
- This helps lower compliance overhead while maintaining strong payment security.
Last updated: April 8, 2026