Security, Privacy & PCI Compliance

How Stayker protects payment and guest data.

Stayker is the travel platform behind the event — powering official hotel programs for its partners. This document describes how our platform handles cardholder data, where our compliance obligations begin and end, and the controls behind our booking products. It is prepared for partner and procurement review.

PCI DSS

SAQ D self-assessmentCompleted October 2025 · renewed annually

Cardholder data

Last 4 digits onlyFull card transmitted to book — never retained

Merchant of Record

Service fee onlyNever the hotel-stay charge

Encryption

In transit & at restTLS 1.2+ · managed key storage

01

What Stayker is

Stayker is the travel platform behind the event. Partners and their clients run official event hotel programs through their own branded portals; Stayker provides the booking infrastructure, payments, and hotel fulfillment, while the partner keeps the brand and the guest relationship. Guests can create a persistent account that saves their profile and payment method for faster rebooking; saved card data is held only as a token — never touched or stored in the clear by Stayker. The platform runs on managed, secure cloud infrastructure.

Two products are in scope for this document: live-inventory booking (real-time hotel availability and individual reservations for an event's official hotels) and group housing (managed room blocks with attendee sub-blocks, approval workflows, and rooming-list delivery to hotels).

02

PCI DSS posture

Stayker completed a PCI DSS SAQ D self-assessment in October 2025 and renews it annually; the current assessment is on cycle for renewal in October 2026. SAQ D is the most comprehensive self-assessment questionnaire under the PCI DSS — Stayker assesses against the full control set rather than relying on a narrower questionnaire.

Today, a live booking's card is transmitted over TLS directly to the hotel-distribution system to complete the reservation. Stayker does not store the full card number — only the last four digits are retained for reference — and never stores the CVV. Because the platform transmits cardholder data during a booking, it assesses against the full SAQ D control set. The booking service fee is processed by Stripe within Stripe's PCI DSS Level 1 environment.

Scope reduction in progress. Stayker is deploying tokenization — capturing cards in a certified PCI DSS Level 1 provider's embedded element so the full card no longer transits Stayker's systems — currently in a staging environment and scheduled to go live by September 1, 2026. An Attestation of Compliance and the supporting SAQ D are available to partners under NDA on request.

Scope note for partner review. A partner's compliance review of Stayker is scoped to PCI compliance and payment-data handling. Disaster-recovery (RTO/RPO) commitments and general infrastructure audit are tracked separately and are outside the PCI scope of this document.

03

How cardholder data is handled

For a live booking today, the guest enters their card on a secure Stayker checkout page, and the card is transmitted over TLS directly to the hotel-distribution system to place the reservation. Stayker does not persist the full card number — only the last four digits are stored, for reference and display — and the CVV is never stored.

The booking service fee is charged separately through Stripe's hosted payment fields, so that transaction is handled inside Stripe's PCI DSS Level 1 environment.

When a guest saves a payment method to a persistent account, the card is stored only as a token held by a certified PCI DSS Level 1 provider — Stayker never touches or stores the underlying card.

Tokenization (rolling out). For live bookings, Stayker is moving card capture into an embedded element served by a certified PCI DSS Level 1 provider, so the card is exchanged for a token at entry and no longer transits Stayker's systems. This is in staging today and scheduled to go live by September 1, 2026.

Data Stayker never stores

Full card number — only last 4 stored CVV / CVC Card expiry in cleartext Magnetic-stripe / chip data
04

Merchant-of-Record scope

This distinction is central to understanding Stayker's payment obligations and is consistent across every booking path:

✓ Stayker is Merchant of Record for

The booking service fee only — Stayker's own revenue, charged via Stripe's hosted payment elements. This is the single transaction for which Stayker is the merchant.

— Stayker is NOT Merchant of Record for

The hotel-stay / room charge, on any path. That transaction is between the guest and the hotel: the guest's card is vaulted as a token and handed to the hotel, and the hotel charges the guarantee or stay against it.

Because Stayker is never the merchant for the room charge, the stay transaction does not settle through Stayker; the guest's card is used only to place the reservation, and Stayker does not store the full card number.

05

Group-housing data flow

In group housing, the attendee's card is collected for the reservation and provided to the hotel through the rooming-list process — into the hotel's own PCI-compliant card-handling environment for guarantee and check-in. Stayker does not store the full card number, and there is no hotel-facing plaintext "reveal" of the card on a Stayker-controlled screen.

Under the tokenization model rolling out for September 1, vaulted card tokens carry an expiration timestamp; once it passes, the token is automatically purged and is no longer retrievable. Tokens are purged once they are no longer operationally needed.

Where PCI responsibility shifts. Card data protection is the responsibility of whichever party comes into contact with it. Once a hotel takes possession of the card on its own side — through its central reservation system or card environment — responsibility for that cardholder data sits with the hotel. Throughout, Stayker holds only a token reference, not a card, and only for as long as the guarantee handoff requires.

06

Infrastructure & encryption

Hosting

Stateless application containers on Google Cloud, behind managed TLS termination.

Database

Managed relational database with encryption at rest and automated backups.

Encryption in transit

TLS 1.2+ enforced on all external connections, including all provider traffic.

Secret management

API keys and private credentials stored in a managed secrets vault — never in source control or container images.

File storage

Documents and assets in access-scoped object storage. No cardholder data is stored in object storage.

Card data in transit

Card data is transmitted over TLS to complete a booking and is not persisted — only the last four digits are stored. Tokenization to remove the full card from Stayker's systems is rolling out (see §03).

07

Access control & auditing

08

Application security

09

Incident response & breach notification

Stayker maintains processes to detect, investigate, and respond to security incidents. Card-related actions are traceable through the audit log described in §07, which records booking and payment-method activity by reference and actor — never the full card number.

In the event of a confirmed security incident affecting a partner's data, Stayker will notify the affected partner without undue delay and coordinate on containment and remediation. Because Stayker does not store full card numbers — only the last four digits are retained — its data stores are not a repository of usable cardholder card numbers.

10

Data retention & privacy

Retention follows Stayker's published Privacy Policy. Booking personal data (name, email, phone) is retained for six months after checkout and then deleted; anonymized, aggregated booking records are kept up to seven years for tax and accounting. Card data is never stored (§03); card tokens carry an expiration and are purged automatically. Guests and partners may request deletion of personal data.

Stayker's platform is hosted in the United States; guest and reservation data is processed and stored in-region.

International data protection. Stayker's Privacy Policy addresses the EU/UK GDPR and California's CCPA/CPRA — including the legal bases for processing, data-subject rights (access, correction, deletion, and objection), and international data transfers. Where personal data of EU/UK residents is transferred to the United States, it is handled under appropriate safeguards such as Standard Contractual Clauses (SCCs). Data-subject and deletion requests can be made through the contacts in the Privacy Policy.

11

Subprocessors

Stayker works with a limited set of vetted subprocessors, described below by function. Those that handle cardholder data are certified PCI DSS Level 1 providers. A full, named list is available to partners under NDA on request.

FunctionPurposeData handledCompliance
Card tokenization & vaultCard capture, tokenization, and secure vaultingCardholder data (PAN → token)PCI DSS L1
Payment processing (Stripe)Service-fee charge via hosted elementsCardholder data (service fee)PCI DSS L1
Cloud infrastructure & hosting (Google Cloud)Application hosting & managed databaseApplication & guest data (no PAN)No card data
CommunicationsSMS & email notificationsContact dataNo card data
CRM & marketingInquiries & event landing pagesMarketing contact dataNo card data
12

Contact & confidentiality

CONFIDENTIAL — prepared for partner and procurement due diligence; not for public distribution. © 2026 WPF Holdings, LLC d/b/a Stayker.