Skip to main content

PCI Compliance Guidance

important

This documentation should be used only for guidance purposes and should not be taken as definitive advice. You should always consult your acquirer or a PCI DSS Qualified Security Assessor (QSA) for clarification.

Introduction

Welcome to the DNA Payments PCI DSS hub! We’ve built out this resource to help you understand and manage your requirements under PCI DSS when working with DNA Payments.

tip

If you have any questions, you can reach out to our team at: saqenquiries@dnapaymentsgroup.com.

PCI DSS was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect payment account data.

further reading

DNA Payments role in PCI DSS Compliance

PCI DSS (Payment Card Industry Data Security Standard) exists to ensure that cardholder data is protected from theft, misuse, or unauthorized access. When a company is PCI compliant, it means their systems and processes meet strict security requirements for handling payment data. With DNA Payments’ standard integrations, most of the PCI DSS responsibilities—such as securing data in transit, encryption, and managing sensitive cardholder information—are handled by us. This reduces the compliance burden (or “scope”) for integrators, as they don’t need to manage as many of the technical and security controls themselves. In short, by integrating with DNA Payments, you offload much of the complexity of PCI compliance to our platform.

tip

The simplest way to be PCI compliant is to utilise the DNA Payments services for as much of the cardholder data processing as possible -i.e. never allow yourself access to unencrypted cardholder data.

important

DNA Payments assumes responsibility only from the point at which cardholder data enters our environment. Any systems, applications, or processes that capture or handle cardholder data before it reaches DNA Payments—such as web forms, mobile apps, or point-of-sale devices—remain within the PCI DSS scope of the integrator or merchant. Ensuring that these entry points are secure and compliant is critical, as they represent the first line of defense in protecting cardholder data.

To clarify the division of responsibilities:

DNA Payments responsibilities

As per the core principles of PCI DSS, DNA Payments is responsible for ensuring the security of cardholder data from the moment it is received through one of our payment solutions. This includes securing the data during transmission, processing, and storage within our controlled environment, in line with PCI DSS requirements.

Integrators responsibilities

Whilst DNA Payments takes ownership of PCI DSS compliance from the point at which cardholder data enters our systems, it is the responsibility of the integrator or merchant to ensure that the data is securely captured and transmitted up to that point. This includes securing any user interfaces, devices, or applications that collect cardholder data before it reaches DNA Payments. These components remain within the PCI DSS scope of the integrator and must be implemented in a compliant and secure manner.

Current Compliance Benchmark

In-person Payments

PCI-SAQ Requirement

DNA Payments Solutions Covered:

ImplementationDetails
axept® PRODNA Payments solutions covered by our P2PE PIM.

e-commerce/Online Payments

PCI-SAQ Requirement

DNA Payments Solutions Covered:

ImplementationDetails
Host-to-HostMerchant processes, encrypts, transmits & potentially stores cardholder data.

Merchant Portal Payments

PCI-SAQ Requirement

DNA Payments Solutions Covered:

ImplementationDetails
Merchant PortalMerchant user processes a MOTO transaction by entering cardholder data directly into the fields, within the DNA Merchant Portal.

PCI DSS Glossary

PCI DSS AbbrevDescription
AOCAttestation of Compliance - A form to attest the results of a PCI DSS assessment, as documented in a Self-Assessment Questionnaire (SAQ) or Report on Compliance (RoC).
ASVApproved Scanning Vendor - A company approved by the PCI SSC to conduct external vulnerability network scanning services.
CDECardholder data - At minimum, cardholder data consist of the full PAN (Personal Account Number), optionally accompanied by the cardholder name, expiration date and/or service code.
PCI-DSSPayment Card Industry Data Security Standards.
PCI SSCPayment Card Industry Security Standards Council.
POIPoint of Interaction - The initial point where cardholder data is read from a card, typically a payment terminal.
PTSPIN Transaction Security - PTS is a set of modular evaluation requirements managed by PCI Security Standards Council, for PIN acceptance POI terminals.
QSAQualified Security Assessor - A company which is qualified by the PCI SSC to perform PCI DSS onsite assessments.
ROCReport on Compliance - Report documenting detailed results from an entity's PCI DSS assessment.
SADSensitive Authentication Data - Security-related information used for authentication or authorization. SAD may refer to the 3- or 4-digit values on a card used to verify card-not-present transactions such as CAV2, CVC2, CID and CVV2.
SAQSelf Assessment Questionnaire - Reporting tool used to document self-assessment results from an entity's PCI DSS assessment.
TLSTransport Layer Security - A network communications protocol designed with the goal of providing data secrecy and data integrity between two communicating applications. TLS is successor of SSL.