Trust · last updated May 2026

Security note

This page describes the practical measures we take around the nolcard recharge flow. It is intentionally short — long security pages are usually a sign of marketing, not engineering. If anything below is unclear, please email support@checkdubaicard.org.

Two domains, one purpose

The main desk lives on checkdubaicard.org; the card form lives on checkout.checkdubaicard.org. The split lets us keep the main pages free of any code that touches the card number, expiry or CVV. The redirect carries only the order summary in the URL — amount, currency, mobile, Nol type and serial, and the order reference.

What we do and do not store

• We store the +971 mobile number, the Nol serial, the card type, the AED amount, the timestamp and the order reference.
• We store the masked card last four digits and the brand returned by the gateway.
• We do not store full card numbers, expiry dates, security codes or 3-D Secure tokens.

Transport

Both domains are served over TLS only. HTTP requests are redirected to HTTPS at the edge. The cookie banner persistence runs on local storage, not on a tracking cookie.

Card processing

Card data is collected on a hosted page operated by a payment-card-industry-compliant gateway. The gateway tokenises the card and we never see the raw values. 3-D Secure is enforced when your bank requires it — for most UAE-issued cards that means an OTP step.

Reporting an issue

If you believe a transaction was fraudulent, write to support@checkdubaicard.org immediately with the order reference. We work with the gateway to issue a chargeback or refund, depending on the case. See the refund policy for the procedure.