GetMyHotels.comBeta
DestinationsHow it worksGet the appClaude & ChatGPT
GetMyHotels.com

AI-native hotel and flight booking. Tell us where, we handle the rest.

Discover

  • Search hotels
  • Destinations
  • Get the app
  • Claude & ChatGPT
  • Blog

Help

  • Help center
  • FAQs
  • Contact support

Company

  • About
  • Careers
  • Press

Legal

  • Terms
  • Privacy
  • Cookies
© 2026 GetMyHotels. All rights reserved.
TermsPrivacyYour privacy choicesComplianceLegalDelete accountSitemap
Back to compliance
Payment security

How your payment is protected

GetMyHotels never sees, stores, or transmits raw card numbers. Every payment is processed through Stripe, our PCI DSS Level 1 certified provider, using tokenized references and the latest authentication standards. Last reviewed 2026-05-27.

PCI DSSCard data security
We operate in the lowest PCI scope (SAQ-A) because card data is captured in hosted payment elements that load directly from Stripe's PCI environment.
No raw card data
Card numbers, CVVs, and expiry dates are entered into iframes or native SDK fields hosted by Stripe. They never traverse our servers, logs, or databases.
3D Secure 2 / SCA
EU + UK transactions enforce Strong Customer Authentication via 3D Secure 2.2. The checkout transparently triggers issuer challenge flows where required.
One global processor
Stripe handles every transaction worldwide under a single PCI DSS Level 1 certification, with tokenized references and local acquiring that maximizes approval rates.

What we accept

Card networks

VisaMastercardAmerican ExpressDiscoverDiners ClubJCBUnionPay

Digital wallets

Apple PayGoogle Pay

Apple Pay and Google Pay use device-bound tokens; the merchant (us) never sees the underlying card number even once.

Local methods

  • • Klarna (select EEA + US markets, via Stripe)

Our processor & its certifications

Stripe
All regions
  • PCI DSS Level 1 Service Provider
  • SOC 1 + SOC 2 Type II
  • ISO 27001:2022
  • EU-US Data Privacy Framework

Fraud prevention

  • Stripe Radar scores every authorization against device fingerprints, BIN-country mismatches, and the card network's velocity rules.
  • Bookings get a per-traveller velocity check (max 4 attempts / 24h on the same email or device fingerprint).
  • Refunds, chargebacks, and disputes are reconciled to the underlying booking via a deterministic Idempotency-Key — no double-charge or double-refund paths.
  • Sanctions screening (OFAC SDN) runs on every payer name before capture; payouts to listed entities are blocked.

Where to learn more

  • PCI DSS standard
  • Stripe security overview