Security and payments.

1. How card payments work

When you pay with a card, you are redirected from our site to a secure hosted payment page operated by NCB First Atlantic Commerce (FAC) PowerTranz. Your card details are entered into the bank's page — never into ours.

• Your card number, expiry, and CVV2/CVC2 are submitted directly to the gateway over an encrypted connection
• We receive only a transaction identifier, an authorisation code, the approval or decline status, and the card brand plus last four digits. No card number reaches our servers or database.
• Transactions are processed in Jamaican Dollars (JMD) and settled to a Jamaican merchant account

2. What we never store

Something Cool Enterprise never stores:

• Full card numbers (PANs)
• CVV / CVC / security codes
• Card expiry dates beyond the brand and last four digits used for receipts
• Bank account or routing numbers other than as needed to refund you

If anyone purporting to be from Something Cool Enterprise ever asks you for your full card number, CVV, or full expiry by email, phone, WhatsApp, or text, do not share it. Report it to admin@somethingcoolenterprise.com.

3. 3D Secure 2 (3DS2)

Every card transaction is authenticated using 3D Secure 2 — the industry standard mandated by Visa, Mastercard, and the local card schemes. Your issuing bank may ask you to confirm the transaction with a one-time passcode, in-app approval, or biometric check. This protects you against unauthorised use of your card.

4. PCI-DSS compliance

Something Cool Enterprise operates as a PCI-DSS SAQ-A merchant. SAQ-A is the self-assessment level that applies to merchants who fully outsource the capture, processing, and storage of cardholder data to a PCI-certified third party — exactly the hosted-page model we use with FAC PowerTranz.

• FAC PowerTranz is a PCI-DSS Level 1 certified payment gateway
• Card data is captured, transmitted, and stored exclusively within FAC's certified environment
• Our site never touches a raw card number. There is no payment iframe to inject and no card form on our server.

5. Cards we accept

• Visa credit and debit cards
• Mastercard credit and debit cards
• Jamaican-issued bank cards enrolled for online use

If your card is declined, contact your issuing bank first — most declines are caused by daily online-spend limits, geo-blocks, or 3DS enrolment status.

6. Connection security

• The whole site is served over HTTPS with a current TLS certificate. The padlock in your browser's address bar confirms the connection is encrypted.
• Sensitive cookies are flagged Secure, HttpOnly, and SameSite to limit interception and CSRF
• Account passwords are stored as one-way bcrypt hashes — even our own staff cannot read them

7. Operational security

• Admin access requires a unique account and password per person; shared logins are not used
• Administrative actions (price changes, quote issuance, refunds, role changes, content edits) are written to an audit log capturing who did what and when
• Access is reviewed at off-boarding — credentials are revoked the same day someone leaves the team
• We follow least-privilege: admin only what the role requires
• Backups are encrypted and held off-host; restore drills are run periodically

8. Fraud and disputed transactions

If you see a charge from us you don't recognise:

1. Check your email for a confirmation from noreply@somethingcoolenterprise.com — the order number on the receipt should match the descriptor on your statement
2. Email admin@somethingcoolenterprise.com with the date, amount, and last four digits of the card. We respond within 1 business day.
3. If the charge is genuinely unauthorised, contact your issuing bank to dispute it under card-scheme rules and report the suspected fraud

9. Responsible disclosure

We welcome reports from security researchers who follow a responsible-disclosure approach. If you believe you have found a vulnerability:

• Email admin@somethingcoolenterprise.com with a clear description, steps to reproduce, and (where safe) a proof of concept
• Give us reasonable time to investigate and remediate before any public disclosure
• Do not access, modify, or download data that is not yours; do not disrupt the service; do not run automated scans that degrade performance
• We will not pursue legal action against researchers who act in good faith and follow this policy. We will acknowledge your report within 2 business days and keep you posted on remediation.

10. Incident response

If we become aware of a security incident affecting personal data or customer accounts, we commit to start investigating within 72 hours. Where a breach is likely to cause harm we notify the Office of the Information Commissioner of Jamaica and affected data subjects without undue delay, in line with the Data Protection Act 2020. See our privacy policy (Personal data breaches).

11. Data we do store

Linked to each transaction we keep:

• Order number, items, total, currency, and tax
• FAC transaction identifier and authorisation code
• Approval or decline status and the ISO response code
• Card brand and last four digits (for your receipt only)
• Billing and delivery address you provided
• Your account email, name, and phone number

See our privacy policy for how this data is handled, retained, and deleted, and our terms for the contractual liability cap that applies to security incidents.