BenchmarksStack Ranking
H33-128H33-CKKSH33-256H33-BFV32H33-FHE-IQFHE OverviewZK LookupsBiometricsH33-3-KeyH33-MPCPQC ArchitecturePQ VideoStorage EncryptionAI DetectionEncrypted Search
APIsPricingTokenDocsWhite PaperBlogAboutSecurity Demo
Log InGet API Key
Home / Compliance / Cardholder Data Flow Diagram
PCI DSS

Cardholder Data Flow Diagram

Effective: March 8, 2026

1. Purpose

This document maps all cardholder data flows within and through H33 systems in compliance with PCI DSS Requirement 1.2.4. It identifies every system component that stores, processes, or transmits cardholder data, and confirms H33's minimal PCI scope.

2. Overview

H33 does NOT store, process, or transmit raw cardholder data. All payment processing is fully outsourced to Stripe, a PCI DSS Level 1 certified service provider. Cardholder data (PAN, CVV, expiration date, cardholder name) never enters H33-controlled infrastructure at any point in the transaction lifecycle.

Key Finding: H33's PCI scope is minimal. Card data is tokenized client-side by Stripe.js before any network request reaches H33 servers. H33 systems receive only non-sensitive payment confirmation metadata.

3. Data Flow Diagram

The following diagram illustrates the complete payment data flow from customer initiation through credit provisioning:

Customer Browser
    |
    | (1) HTTPS / TLS 1.3
    v
Stripe.js  (client-side tokenization)
    |
    | (2) Card data sent directly to Stripe
    |     Card data NEVER touches H33 servers
    v
Stripe API  (PCI DSS Level 1 Certified)
    |
    | (3) Webhook: payment_intent.succeeded
    |     Payload: payment_intent.id, email,
    |     plan tier, amount, currency
    |     NO PAN, NO CVV, NO expiry
    v
H33 Netlify Function  (stripe-webhook.mjs)
    |
    | (4) Provisions credits via Auth1
    |     Passes: tier, email, session_id
    |     NO cardholder data
    v
Auth1 Microservice  (Elastic Beanstalk)
    |
    | (5) Records credit balance
    v
RDS PostgreSQL  (credit balance only)

4. What H33 Receives From Stripe

When a payment succeeds, Stripe sends a webhook event to H33's Netlify function. The webhook payload contains only the following non-sensitive fields:

Field Received Sensitive? Description
payment_intent.id No Stripe-generated payment reference identifier
customer.email PII (not CHD) Customer email address for account matching
plan_tier No Selected credit pack tier (e.g., Starter, Growth)
amount No Payment amount in smallest currency unit
currency No Three-letter ISO currency code (e.g., usd)

H33 does NOT receive: PAN (primary account number), CVV/CVC, expiration date, cardholder name, card brand, or any other cardholder data element as defined by PCI DSS.

5. Cardholder Data Environment (CDE)

H33 has no Cardholder Data Environment. The CDE exists entirely within Stripe's PCI Level 1 certified infrastructure. H33's systems are categorically outside PCI scope for card data storage, processing, and transmission.

  • Card storage: Stripe (H33 stores no card data)
  • Card processing: Stripe (H33 never processes card transactions)
  • Card transmission: Stripe.js to Stripe API (H33 servers never receive card data in transit)

6. Network Segmentation

Network segmentation is not required for PCI compliance because H33 has no CDE to segment. However, H33 maintains network segmentation as a defense-in-depth measure for general security purposes:

  • VPC private subnets: Application and database tiers reside in private subnets with no direct internet access
  • Security groups: Restrictive ingress/egress rules limit traffic to required ports and protocols
  • NAT gateway: Outbound internet access for private subnets routed through NAT gateway
  • CloudFront CDN: Public-facing traffic terminates at CloudFront, not at origin servers

7. Third-Party Services in Payment Flow

Service Role PCI Status Handles Card Data?
Stripe Payment processing, tokenization, card storage PCI DSS Level 1 Yes (sole handler)
Netlify Hosting, serverless functions (webhook receiver) SOC 2 Type II No
AWS (us-east-1) Infrastructure (RDS, ElastiCache, EC2) PCI DSS Level 1 No
Auth1 (Elastic Beanstalk) Authentication, credit provisioning Internal service No

8. SAQ Eligibility

Based on the cardholder data flow documented above, H33 qualifies for SAQ A (Self-Assessment Questionnaire A), the simplest PCI DSS compliance validation level. SAQ A applies to merchants that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers.

Eligibility criteria met:

  • All payment processing is outsourced to Stripe (PCI Level 1)
  • Card data is tokenized client-side via Stripe.js
  • H33 systems do not store, process, or transmit cardholder data
  • H33 does not electronically store cardholder data on any system
  • H33 confirms its third-party payment processor is PCI DSS compliant

9. Annual Review

This cardholder data flow diagram and PCI DSS compliance posture is reviewed annually, or whenever a material change occurs in payment processing architecture. The next scheduled review is March 2027.

Changes that would trigger an immediate review include:

  • Addition of a new payment processor or gateway
  • Changes to client-side payment form implementation
  • Introduction of any server-side card data handling
  • Changes to webhook payload structure from Stripe
  • Material infrastructure changes affecting payment flow

Questions about PCI compliance?

Contact our Security team at privacy@h33.ai