Click here to see documentation for V4 of our Mobile SDK and our Gateway API.


Security is one of the most important considerations in everything we do here at CardFlight. If you have any questions, issues or concerns, please contact us at

PCI Compliance

CardFlight's systems and processes are designed to comply with the Payment Card Industry (PCI) Data Security Standards.


CardFlight forces HTTPS for all services, including our public website. We use the highest level of SSL encryption possible, using 256-bit Extended Validation ensuring that all communications are secure. We perform regular audits of certificates we serve, the certificate authorities we use, and the ciphers we support.

In addition to using HTTPS we strictly use HSTS to ensure browsers interact with CardFlight only over HTTPS and never a non-secure connection.


CardFlight supports encryption through all steps of a transaction. Card data is encrypted from the reader to our servers to our supported payment processors. All card data is encrypted using the highest level of TDES data encryption using DUKPT key management, guided by PCI-DSS requirements. Each CardFlight reader is assigned a unique serial number for tracking purposes.

CardFlight's infrastructure for decrypting, and transmitting card numbers runs on a separate server, and doesn't share any credentials with CardFlight's primary services (API, website, etc.). Physical access to our servers is monitored by security personnel 24 hours a day and requires multiple levels of authentication, including biometric procedures.

Card Data

Card data is fully encrypted from the CardFlight reader to our backend server, and cannot be read or decrypted by you, reducing your PCI Compliance requirements. CardFlight does not permanently store any card transaction data on our servers except the last 4 digits, expiry date, and cardholder’s name.