Sana Pay

Sana Commerce 9.3
Your connector

PCI DSS Compliance Guide

The Payment Card Industry Data Security Standards (PCI DSS) is a set of global security standards created by the Payment Card Industry Security Standards Council (PCI SSC) to ensure that every company that collects, processes, stores, or transmits cardholder data maintains a secure cardholder data environment. PCI DSS applies to all entities that accept credit cards or are involved in payment processing, such as payment processors, acquirers, issuers, and service providers.


This document should be used only for guidance purposes, and should not be taken as definitive advice. You should always consult your acquirer or a PCI DSS Qualified Security Assessor (QSA) for clarification.

When signing up for Sana Pay, Sana Commerce assists merchants with the registration process, including going through the required Know Your Customer (KYC) process, which also includes assistance with the PCI DSS requirements.

Introduction to PCI DSS

PCI DSS, a global standard adopted by the major card schemes (Mastercard, Visa, JCB, Diners, and American Express), defines a set of technical and operational requirements that when implemented correctly, helps you to protect cardholder data, reduce fraud, and minimize the chances of a data breach resulting from malicious attacks. Complying with the requirements helps you to maintain your shopper's trust.

As mandated by the card schemes, every merchant that accepts credit card payments has to comply with PCI DSS requirements. Even though PCI DSS is not part of any law, the standard is applied globally and it comes with significant penalties and costs for organizations that don't comply with the requirements. These financial consequences include non-compliance assessment fees, legal costs, and costs for forensic investigations, onsite QSA assessments, and security updates.

Before you continue, it's important to understand that:

  • PCI DSS applies solely to the people, processes, and technology that collect, store, process, or transmit cardholder data, known as the Cardholder Data Environment (CDE).
  • PCI DSS is not a single event, but a continuous, ongoing process. Every entity has to validate their compliance with PCI DSS annually by completing one of the official PCI SSC validation documents.

Sana Pay Role in PCI DSS Compliance

Implementing PCI DSS in your business can be daunting, especially if you don't have an existing framework to protect sensitive information. To help reduce the scope of PCI DSS compliance, Sana Pay offers integrations that handle most of the PCI DSS requirements. The simplest way for you to be PCI compliant is to use our encrypted solutions - you never see and never have access to unencrypted cardholder data.

When you use our encrypted solutions, you are outsourcing most PCI DSS responsibilities to Sana Pay. However, because you accept credit card payments on your webstore, your integration with Sana Pay does not completely eliminate your PCI scope.

  • Sana Pay responsibility: Sana Pay is solely responsible for the security of cardholder data only as soon as Sana Pay receives the data through the relevant payment interface. After Sana Pay receives your shoppers' cardholder data, the data is contained in a PCI DSS Level 1 Service Provider Cardholder Data Environment.
  • Your responsibility: You are responsible for making sure that cardholder data is secure and protected before the data reaches Sana Pay. Depending on your integration, you also have to comply with cardholder data storage requirements.

Sana Pay is a PCI DSS Level 1 Service Provider, with PCI DSS compliance assessed by an independent Qualified Security Assessor (QSA) annually.

Validating Your PCI DSS Compliance

If you are accepting credit card payments, you have to validate your PCI DSS compliance annually. You can validate your compliance either by:

  • Completing a Self-Assessment Questionnaire (SAQ). You can use this option if you process less than 6 million transactions per acquiring region per year.
  • Engaging a Qualified Security Assessor (QSA) to complete a Report on Compliance (RoC) for you.

The requirements are the same and the same assessment is performed for both options. The only difference is that you complete the SAQ on your own, while the RoC is completed by a QSA.

Results of the assessment must be included in an official PCI SSC validation document and then provided to Sana Commerce. If you are using one of our encrypted solutions, we may contact you on an annual basis to complete a Self-Assessment Questionnaire using DocuSign.

Service Providers

Because Sana Pay processes your payments, Sana Pay is regarded as a Service Provider. Merchants will often engage with a number of different service providers for a variety of reasons. For example, you could engage a service provider to perform recurring payments, provide shopping cart solutions, or to facilitate subscription billing. By using service providers, you are transferring parts of your PCI DSS obligations towards them.

To carry out outsourced functions, service providers need access to your shoppers' cardholder data, making their PCI DSS compliance vital. When engaging a service provider, you are responsible for:

  • Making sure that the service provider is PCI DSS-compliant regardless of the type of service they are providing.
  • Identifying the functions each service provider is performing.
  • Ensuring that the service providers acknowledge their PCI DSS responsibilities.
Requirements When Using a Service Provider

If you are using a Service Provider who has access to your shoppers' cardholder data, you are outsourcing part of your PCI DSS responsibilities. You are required to:

  1. Ask your service provider for their Service Provider's Attestation of Compliance.
  2. Ensure that the service provider is registered with the schemes and is listed on Visa's Global Registry of Service Providers and Mastercard's Compliant Service Provider List.

After you have collected your Service Provider's AoC and verified that they are registered with the schemes, you then need to provide Sana Commerce with:

  1. Names of the service providers, along with the corresponding outsourced functions, clearly stated in part 2F of your Self-Assessment Questionnaire (SAQ) or Attestation of Compliance (AoC).
  2. The Service Provider's Attestation of Compliance.

The use of service providers does not relieve you of the ultimate responsibility for your own PCI DSS compliance. You must manage the relationship with the service provider as described in PCI DSS requirement 12.8, including listing all the service providers you use, maintaining agreements and acknowledgement of responsibilities, carrying out due diligence prior to engagement, and monitoring the service provider's PCI DSS compliance status (by requesting their AoC every year).

PCI DSS Glossary

  • AOC - Attestation of Compliance - A form to attest the results of a PCI DSS assessment, as documented in a Self-Assessment Questionnaire (SAQ) or Report on Compliance (RoC).
  • ASV - Approved Scanning Vendor - A company approved by the PCI SSC to conduct external vulnerability network scanning services.
  • CDE - Cardholder Data Environment - The people, processes and technology that collect, store, process or transmit cardholder data.
  • CHD - Cardholder data - At minimum, cardholder data consist of the full PAN (Personal Account Number), optionally accompanied by the cardholder name, expiration date and/or service code.
  • PCI DSS - Payment Card Industry Data Security Standards.
  • PCI SSC - Payment Card Industry Security Standards Council.
  • POI - Point of Interaction - The initial point where cardholder data is read from a card, typically a payment terminal.
  • PTS - PIN Transaction Security - PTS is a set of modular evaluation requirements managed by PCI Security Standards Council, for PIN acceptance POI terminals
  • QSA - Qualified Security Assessor - A company which is qualified by the PCI SSC to perform PCI DSS onsite assessments.
  • RoC - Report on Compliance - Report documenting detailed results from an entity's PCI DSS assessment.
  • SAD - Sensitive Authentication Data - Security-related information used for authentication or authorization. SAD may refer to the 3- or 4-digit values on a card used to verify card-not-present transactions such as CAV2, CVC2, CID and CVV2.
  • SAQ - Self Assessment Questionnaire - Reporting tool used to document self-assessment results from an entity's PCI DSS assessment.
  • TLS - Transport Layer Security - A network communications protocol designed with the goal of providing data secrecy and data integrity between two communicating applications. TLS is successor of SSL.