Can I Trust RawCheats with My Payment Info?

Payment trust in this niche is a legitimate concern because the worst scam patterns specifically target buyer payment data. A clear-eyed look at our payment infrastructure — Stripe and BTCPay — explains why card details and crypto transactions are both safer here than they would be on a typical reseller marketplace.

Stripe routes cards through PCI DSS Level 1 infrastructure

Stripe is certified at PCI DSS Level 1, which is the highest tier of the Payment Card Industry Data Security Standard and the same compliance level required of major banks and processors. The mechanic that matters for us: when you enter card details on our checkout page, Stripe's JavaScript SDK collects them directly into Stripe's infrastructure. The raw PAN (primary account number), CVC, and expiration date never reach our application servers. We receive only a tokenized customer identifier and the Stripe-generated charge ID.

This is enforced by Stripe Elements — the iframe-isolated card entry component — and by Stripe's network rules. Even if our application server were fully compromised tomorrow, the attacker would find no card data because we do not store any. The same applies to Apple Pay and Google Pay transactions, which route through Stripe's tokenization layer.

BTCPay routes crypto non-custodially

BTCPay Server is open-source, self-hosted, and non-custodial. When you pay in BTC, ETH, LTC, or USDT, the transaction goes directly from your wallet to our cold storage address on-chain. There is no third-party processor in between holding the funds, no exchange custody, no risk that a payment-processor freeze blocks your transaction or freezes our payouts.

Non-custodial matters specifically because the custodial alternatives — services like BitPay or CoinPayments — keep your transaction tied to a centralized processor that can be compelled by publishers, by law enforcement, or by their own fraud-detection algorithms to share transaction details. BTCPay does not do that. The blockchain has the transaction, we have the on-chain confirmation, and the processor middle does not exist.

What we do retain

For Stripe transactions, we retain the customer ID, the charge ID, the last four digits of the card (which is what every legitimate business retains for dispute handling), the email address, and the subscription state. None of that is sufficient to reconstruct a card or initiate a new charge. Stripe holds the full card-on-file with its own encryption; we hold a pointer to it.

For BTCPay transactions, we retain the on-chain transaction hash, the receive address, the email address for license delivery, and the subscription state. The originating wallet address is visible on-chain but is not data we retain beyond what is publicly visible to anyone watching the blockchain.

What we never collect

• No government ID
• No proof of address
• No phone number (email-only contact)
• No real legal name (your billing name is whatever Stripe accepts from your card, which can be the cardholder's name or a nickname Stripe accepts — we never verify it)
• No biometric data
• No social security or tax ID for buyers (we have our own for the business entity, separate)

The Federal Trade Commission's data minimization guidance for online businesses recommends collecting only what is necessary for the transaction. We follow that aggressively.

How dispute handling works

For Stripe transactions, disputes route through Stripe's normal chargeback flow. If you chargeback a transaction, Stripe holds the disputed amount in escrow during the dispute window. We submit evidence (subscription activation timestamps, dashboard access logs) if we choose to contest, or we let the chargeback through. Either way, the only data exchanged is what Stripe's portal allows — there is no separate "send us your card photo" verification step that some fraud-prone processors require.

For BTCPay transactions, on-chain transactions are non-reversible by design. If a refund is needed, it issues as a fresh on-chain transaction from our wallet to a refund address you specify. This is covered in the refund policy in detail.

Why this matters relative to other cheat sites

The "vanishing-site" scam pattern usually runs direct Bitcoin payouts to anonymous addresses with no checkout layer at all. Buyers send BTC to an address from a Telegram message, receive nothing, and have no recourse. Running Stripe means a real legal entity that the processor knows, with fraud screening Stripe applies on every transaction. Running self-hosted BTCPay means we own the receive infrastructure and cannot be cut off by a processor freezing our merchant account.

Both routes deliver license keys to your email instantly after confirmation. Stripe confirms in seconds, BTCPay confirms after 1-2 on-chain confirmations (typically 10-30 minutes for BTC, faster for ETH/LTC).

For full pricing details across tiers, see how much RawCheats cost. For refund mechanics on either payment route, see can I get a refund from RawCheats.