Skip to main content

PCI Compliance Guidance

important

This documentation should be used only for guidance purposes and should not be taken as definitive advice. You should always consult your acquirer or a PCI DSS Qualified Security Assessor (QSA) for clarification.

Introduction

Welcome to the DNA Payments PCI DSS hub! We’ve built out this resource to help you understand and manage your requirements under PCI DSS when working with DNA Payments.

tip

If you have any questions, you can reach out to our team at: saqenquiries@dnapaymentsgroup.com.

PCI DSS was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect payment account data.

further reading

DNA Payments role in PCI DSS Compliance

PCI DSS (Payment Card Industry Data Security Standard) exists to ensure that cardholder data is protected from theft, misuse, or unauthorized access. When a company is PCI compliant, it means their systems and processes meet strict security requirements for handling payment data. With DNA Payments’ standard integrations, the burden of PCI DSS responsibility is handled by DNA.

tip

Merchants and Partners that work with DNA Payments have a simplified path to being PCI compliant as we ensure the merchant (or partner) does not have access to unencrypted cardholder data.

important

DNA Payments assumes responsibility only from the point at which cardholder data enters our environment. Any systems, applications, or processes that capture or handle cardholder data before it reaches DNA Payments—such as web forms, mobile apps, or point-of-sale devices—remain within the PCI DSS scope of the integrator or merchant. Ensuring that these entry points are secure and compliant is critical, as they represent the first line of defense in protecting cardholder data.

To clarify the division of responsibilities:

DNA Payments responsibilities

As per the core principles of PCI DSS, DNA Payments is responsible for ensuring the security of cardholder data from the moment it is received through one of our payment solutions. This includes securing the data during transmission, processing, and storage within our controlled environment, in line with PCI DSS requirements.

Integrators responsibilities

Whilst DNA Payments takes ownership of PCI DSS compliance from the point at which cardholder data enters our systems, it is the responsibility of the integrator or merchant to ensure that the data is securely captured and transmitted up to that point. This includes securing any user interfaces, devices, or applications that collect cardholder data before it reaches DNA Payments. These components remain within the PCI DSS scope of the integrator and must be implemented in a compliant and secure manner.

Current Compliance Benchmark

In-person Payments

All DNA Payments card payment solutions are certified to P2PE (Point-to-Point Encryption). P2PE is a PCI-approved security standard that ensures cardholder data is encrypted immediately at the point of interaction, e.g. payment via our card terminal application. P2PE encrypts data as it’s gathered by the payment processor, turning sensitive data into a code, which can’t be accessed or used without the secure key to decrypt the code. It’s designed to ensure secure transfer of data between the merchant and payment processor.

All major card methods such as Visa, Mastercard, American Express, etc are covered under P2PE.

PCI-SAQ Requirement
P2PE PIM

e-commerce/Online Payments

PCI-SAQ Requirement

DNA Payments Solutions Covered:

ImplementationDetails
Host-to-HostMerchant processes, encrypts, transmits & potentially stores cardholder data.
PCI 3DS Core Security Standard AOC

Merchant Portal Payments

PCI-SAQ Requirement

DNA Payments Solutions Covered:

ImplementationDetails
Virtual TerminalMerchant user processes a MOTO transaction by entering cardholder data directly into the fields, within the DNA Merchant Portal.

PCI DSS Glossary

PCI DSS AbbrevDescription
AOCAttestation of Compliance - A form to attest the results of a PCI DSS assessment, as documented in a Self-Assessment Questionnaire (SAQ) or Report on Compliance (RoC).
ASVApproved Scanning Vendor - A company approved by the PCI SSC to conduct external vulnerability network scanning services.
CDECardholder data - At minimum, cardholder data consist of the full PAN (Personal Account Number), optionally accompanied by the cardholder name, expiration date and/or service code.
PCI-DSSPayment Card Industry Data Security Standards.
PCI SSCPayment Card Industry Security Standards Council.
POIPoint of Interaction - The initial point where cardholder data is read from a card, typically a payment terminal.
PTSPIN Transaction Security - PTS is a set of modular evaluation requirements managed by PCI Security Standards Council, for PIN acceptance POI terminals.
QSAQualified Security Assessor - A company which is qualified by the PCI SSC to perform PCI DSS onsite assessments.
ROCReport on Compliance - Report documenting detailed results from an entity's PCI DSS assessment.
SADSensitive Authentication Data - Security-related information used for authentication or authorization. SAD may refer to the 3- or 4-digit values on a card used to verify card-not-present transactions such as CAV2, CVC2, CID and CVV2.
SAQSelf Assessment Questionnaire - Reporting tool used to document self-assessment results from an entity's PCI DSS assessment.
TLSTransport Layer Security - A network communications protocol designed with the goal of providing data secrecy and data integrity between two communicating applications. TLS is successor of SSL.