Legal

Payment Security & PCI

Last updated: 30 May 2026

This statement describes how {{COMPANY_NAME}} ("we", "Lucky Rule") handles card data on lucky-rule.r-one.dev (the "Site") and our position under the Payment Card Industry Data Security Standard ("PCI DSS").

1. We do not store card data

Lucky Rule does not collect, transmit or store full payment-card numbers, card verification values (CVV/CVC), full track data, PINs or any other element of cardholder data on its servers. When you buy Virtual Coins, the card payment form is hosted by a PCI DSS-certified payment service provider (a "PSP"). Card details are sent directly from your browser to the PSP over TLS. We receive only the result of the transaction (success/failure, an opaque reference, the masked last four digits, the currency and the amount).

2. Our PCI DSS scope

Because cardholder data is fully outsourced to certified PSPs and our environment is configured so that it cannot interact with that data, our scope falls under SAQ A of the PCI DSS self-assessment family. We confirm that:

  • All card-data entry pages are served from the PSP's domain (or a fully PSP-hosted iframe / hosted redirect), not from ours.
  • No script on the Site has access to the PSP's card-entry fields.
  • Any redirect URLs to the PSP are protected by HTTPS and configured in the PSP dashboard, not constructed on the fly by the Site.
  • TLS is enforced site-wide via HTTPS, HSTS and (where supported) the Strict-Transport-Security response header.

3. Active payment service providers

The PSPs we currently use are listed below. Each is PCI DSS Level 1 certified (the highest level) and publishes its current Attestation of Compliance:

{{PSP_LIST}}

If a PSP is added or removed, this statement and the Privacy Policy are updated within 30 days.

4. Other safeguards

  • 3-D Secure 2 is enforced on card transactions where the PSP supports it, redirecting the cardholder to their bank for authentication.
  • Per-transaction and per-month spending caps apply (see Responsible Gaming).
  • Suspicious or repeat-decline transactions are flagged for manual review.
  • Internal access to transaction records is restricted to authorised personnel and is logged.
  • Backups containing transaction metadata are encrypted at rest.

5. What we ask of you

  • Use a card that belongs to you, in your name and at your billing address.
  • Do not share your account, password or one-time passcodes with anyone.
  • If you spot an unauthorised charge, contact your card issuer and us at {{SUPPORT_EMAIL}} as soon as possible.

6. Contact

For any payment-security concern: {{SUPPORT_EMAIL}}. For privacy questions linked to payments: {{PRIVACY_EMAIL}}.

lose message image win message image

The result is

We use cookies

We may use cookies or any other tracking technologies when you visit our website, including any other media form, mobile website, or mobile application related or connected to help customize the Site and improve your experience.

learn more
Accept Cookies Decline Cookies