Knowledge BaseSecurity Measures & Privacy Policy

Security Measures & Privacy Policy

Sana Commerce 9.2
Your connector

PCI Compliance

PCI compliance simply means that the shop owner's business meets the requirements established by the Payment Card Industry (PCI) Security Standards Council. The council is run by the five major credit card companies - Visa, MasterCard, Discover, American Express and JCB International - and is responsible for enforcing the PCI Data Security Standards (PCI DSS).

Sana Commerce and PCI compliance

PCI compliance is the responsibility of the shop owner. Sana Commerce cannot be PCI-DSS certified, as the PCI-DSS guidelines address the business (and not the software application). However, this does not prevent a Sana Commerce shop owner from becoming PCI compliant.

Regarding the PCI-DSS requirements: many of the PCI requirements are beyond the scope of Sana Commerce, but fall into the area of business policies/best practices for the shop owner to comply with. You can find the latest requirements here.

How Sana Commerce helps its merchants to be PCI compliant

Sana Commerce makes PCI compliance easier by offering integrated payment gateways that allow shop owners to securely transmit credit card data via either the hosted payment forms provided by the payment gateway, and/or tokenized payment methods that integrate with the shop owner's checkout pages. The payment methods offered by Sana Commerce allow shop owners to offer a seamless checkout.

Sana Commerce keeps sensitive cardholder data outside of the Sana Commerce server: all processing of cardholder data is entirely outsourced to the validated third-party service providers. Sana Commerce does not electronically store, process, or transmit any cardholder data on its systems or premises, but relies entirely on the connected payment provider(s) to handle all these functions.

The advantage of this approach is that this enables updates to Sana Commerce with new features without having to go through PCI compliance re-assessment of the Sana Commerce platform. Given this efficient and secure approach, Sana Commerce shop owners can apply for compliance via self-assessment through the applicable PCI SAQ A or PCI SAQ A-EP form (instead of the more cumbersome SAQ D level). You can find more information about the self-certification here.

Knowledge BaseSecurity Measures & Privacy Policy