Service available
H Abudhabibuscard Hafilat top-up · Abu Dhabi

Security note

How the card data is handled.

This page is the plain-English version of how a card payment is processed on the Hafilat top-up desk. The detailed legal version is in the terms and the privacy notice.

1 · Two separate sites

The recharge form lives on abudhabibuscard.com. The card form lives on a different subdomain, checkout.abudhabibuscard.com, on a different store. Card data is entered only on the second one. The first site never receives the card number, the expiry, the security code or any 3-D Secure data.

2 · TLS on every request

Every request to either site is encrypted in transit with TLS 1.2 or 1.3. The browser shows the lock icon as a result. There is no plain-text endpoint on either domain.

3 · Bank prompt for every card payment

After the card form validates the entered data, the issuing bank decides whether to authorise the payment through a 3-D Secure prompt. The bank does its own check — usually a one-time SMS code, a confirmation tap inside the bank's mobile app or a biometric on the device. The card desk does not see and does not store the value entered into the prompt.

4 · What we keep on our side

  • Order ID, the AED amount, the currency code.
  • The 13-digit Hafilat ID and the chosen card type.
  • The mobile number for the receipt SMS.
  • An opaque token returned by the card processor — proof that the payment was authorised.
  • Server timestamps for audit and refund handling.

5 · What never reaches our side

  • The 16-digit card number.
  • The card expiry month and year.
  • The three-digit security code on the back of the card.
  • The 3-D Secure password, the SMS code or the biometric token.
  • The bank account number or IBAN behind the card.

6 · No marketing pixels

The two sites do not load any third-party advertising or analytics script. No cross-site cookies, no tracking pixels, no fingerprinting. The only cookies in use are listed in the cookie policy.

7 · Suspicious activity

If a card is used in a way that looks like fraud — many failed attempts in a row, mismatched country, abnormal velocity — the card processor on its side may decline the order before it reaches the bank. The desk co-operates with any reasonable evidence request from the issuing bank in case of a chargeback dispute.

8 · How to report a problem

If you spot a charge that does not look right, call your bank first. Then send the order ID and a short description through the contact form on the next working day. The desk replies on the same day; the refund flow follows the refund policy.

9 · What we do not promise

The desk is a small forwarding service. It is not a bank, it is not a card processor, it is not the Integrated Transport Centre. We do not advertise PCI DSS compliance levels, certificates or audit numbers — that scope belongs to the card processor on the back of the card desk and to the bank. The trust marks in the footer are advisory only and do not claim membership of any specific scheme.

10 · Where to verify the connection

Look at the address bar — the lock icon and the host name abudhabibuscard.com (or checkout.abudhabibuscard.com on the card desk) confirm the secure connection. Any other host name is not us.