Our payment provider has been audited by a PCI-certified auditor, and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available.
SSL and HSTS
Our provider forces HTTPS for all services, which are regularly audited. The audit includes: the certificates served, the certificate authorities used, and the ciphers supported. HSTS is used to ensure browsers interact only over HTTPS. Our provider is also on the HSTS preloaded lists for both Chrome and Firefox.
All card numbers are encrypted on disk with AES-256. Decryption keys are stored on separate machines. None of our payment providers internal servers and daemons are able to obtain plaintext card numbers; instead, they can just request that cards be sent to a service provider on a static whitelist. The infrastructure for storing, decrypting, and transmitting card numbers runs in separate hosting infrastructure, and doesn't share any credentials with any other primary service (API, website, etc.).