MentrdLegalOpen app →

Effective May 28, 2026

PCI Compliance

Short answer: Mentrd never sees, transmits, or stores your card number. Stripe handles all card processing, and Stripe is PCI DSS Level 1 certified, the highest tier.

1. What PCI DSS is

The Payment Card Industry Data Security Standard (PCI DSS) is a global security framework set by the major card networks (Visa, Mastercard, American Express, Discover, JCB). It defines the controls every business that touches payment card data has to meet.

There are four merchant levels based on transaction volume. Level 1, the strictest, requires annual on-site audits by a Qualified Security Assessor.

2. Mentrd’s PCI scope

Mentrd’s scope is intentionally minimised through a clean separation: we never receive, see, transmit, or store cardholder data. When you subscribe or top up credits, your card details go directly from your browser to Stripe’s servers via a Stripe-hosted checkout page or Stripe Elements iframe.

What Mentrd does store, post-payment, is metadata returned by Stripe: your subscription status, plan, billing cycle, transaction IDs, and the last 4 digits of the card brand for display. None of that is sensitive cardholder data under PCI DSS.

3. Our processor: Stripe

Stripe, Inc. is a PCI DSS Level 1 Service Provider, certified annually by an independent QSA. Their compliance covers the infrastructure that processes your card on Mentrd’s behalf.

You can verify Stripe’s certification directly:

4. What this means in practice

  • If Mentrd were breached, your card number cannot be exposed because we don’t have it.
  • If you dispute a charge, contact your card issuer first; we’ll cooperate with Stripe’s dispute process.
  • To update or remove a card on file, use the Settings → Billing page in the app. That surface is rendered by Stripe’s Customer Portal.
  • SAQ A applies to Mentrd’s payment scope (the simplest PCI Self-Assessment Questionnaire, for merchants who fully outsource card handling).

5. Other security commitments

Beyond payments, we encrypt data in transit (TLS 1.2+) and at rest, scope database access to authenticated user identifiers, and rotate secrets regularly. See our Privacy Policy for the full list of sub-processors and where your data lives.

6. Reporting a security issue

If you believe you’ve found a vulnerability in Mentrd, please email security@mentrd.ai. We acknowledge reports within one business day and we’re committed to working transparently with researchers acting in good faith.

Questions? security@mentrd.ai