Sensitive Authentication Data and PCI-DSS  - Payment processing

Using the Payments API to send payment card data means that you will be capturing, transmitting, and possibly storing credit/debit card data. The Card Schemes (Visa, Mastercard, American Express and others), do not permit the storage of Sensitive Authentication Data (track data and/or CVV2) post-authorisation and it is prohibited under Requirement 3 of the Payment Card Industry Data Security Standard (PCI-DSS). 

If you use the Payments API you will need to demonstrate that your systems handle this data securely and that you are taking full responsibility for your PCI-DSS compliance. This includes, but is not limited to, providing your current Attestation of Compliance certificate and evidence of a recent clean vulnerability scan. 

A list of approved Security Assessors can be found at: 


For further information on PCI security standards, please visit the following web page: