Security Measures & Privacy Policy

PCI Compliance

PCI compliance simply means that the shop owner's business meets the requirements established by the Payment Card Industry (PCI) Security Standards Council. The council is run by the five major credit card companies - Visa, MasterCard, Discover, American Express and JCB International - and is responsible for enforcing the PCI Data Security Standards (PCI DSS).

Sana Commerce and PCI compliance

Sana Commerce is PCI compliant and has successfully completed the applicable PCI tests under supervision of a Qualified Security Assessor (QSA). Sana Commerce qualifies for the so-called "Self-Assessment Questionnaire D - Service Providers version 3.2.1".

PCI compliance is and remains the responsibility of the shop owner, but we make it easy for Sana Commerce shop owners to be compliant by providing the relevant documentation if needed.

If you need any PCI related documentation from Sana Commerce for your business or bank, we recommend that you contact us through privacy@sana-commerce.com. Our PCI team will follow up with you.

Regarding the PCI-DSS requirements: many of the PCI requirements are beyond the scope of Sana Commerce, but fall into the area of business policies/best practices for the shop owner to comply with. You can find the latest requirements here.

Sana supports PCI compliance for the following Payment Service Providers (PSP):

• Adyen
• Authorize.Net
• Buckaroo
• ChageLogic Connect
• CyberSource
• DIBS
• Docdata (part of CM payments)
• EBizCharge
• eWAY
• Ingenico
• KBC Paypage
• Midtrans
• Mollie
• Payfabric
• PayPal Express Checkout
• PayPal Payflow Link
• PostFinance
• Sage Pay
• WorldPay
• Wirecard

Sana supports PCI compliance for the following Sana versions:

• Sana 9.3.x

How Sana Commerce helps its merchants to be PCI compliant

Sana Commerce makes PCI compliance easier by offering integrated payment gateways that allow shop owners to securely transmit credit card data via either the hosted payment forms provided by the payment gateway, and/or tokenized payment methods that integrate with the shop owner's checkout pages. The payment methods offered by Sana Commerce allow shop owners to offer a seamless checkout.

Sana Commerce keeps sensitive cardholder data outside of the Sana Commerce server: all processing of cardholder data is entirely outsourced to the validated third-party service providers. Sana Commerce does not electronically store, process, or transmit any cardholder data on its systems or premises, but relies entirely on the connected payment provider(s) to handle all these functions.

The advantage of this approach is that this enables updates to Sana Commerce with new features without having to go through PCI compliance re-assessment of the Sana Commerce platform. Given this efficient and secure approach, Sana Commerce shop owners can apply for compliance via self-assessment through the applicable PCI SAQ A or PCI SAQ A-EP form. You can find more information about the self-certification here.