Security at a small top-up service is mostly about scope reduction — the less data we hold, the less can go wrong. Below is what actually lives on our infrastructure and what is intentionally kept out.
The 16-digit bank-card number, the CVV and the expiry are entered on the dedicated checkout subdomain. That domain runs a thin form rendered through our PCI-compliant acquirer; the network call goes to the acquirer's hosted endpoint. Our application code does not have access to those fields, the browser does not forward them to the main land, and no logging on our side captures them.
What we do store after the payment returns: the order id (starts with cb-), the amount, the currency, the masked last-4 of the card, the mobile number you typed and the posting status. That is enough to support a chargeback dispute and nothing else.
If a top-up fails to post within 24 hours and we cannot trace the credit, the chargeback is filed at our cost. You do not need to contact the bank yourself — write to support@checkbuscard.org with the order id and we take it from there. Refund window: 14 calendar days.
If you spot something that looks like a security issue (information disclosure, broken auth, payment flow anomaly), write to support@checkbuscard.org with the subject line Security report. We do not currently run a paid bounty programme, but we acknowledge every report in writing within an office day and credit the reporter on request.