On This Page
FILTER BY TAG

PCI Compliance

The least burdensome level of Payment Card Industry (PCI) compliance is Self-Assessment Questionnaire A (SAQ-A). To be compliant with SAQ-A, you must securely capture sensitive payment data with a validated payment provider.
Unified Checkout
 meets this requirement by rendering secure iframes hosted by
National Australia Bank
. Payment data is submitted directly to
National Australia Bank
 and never touches your systems.

Security Architecture

Unified Checkout
 uses many layers of protection to be compliant with PCI SAQ-A guidelines:
  • Iframe isolation
    : All payment UI renders inside cross-origin iframes hosted by
    National Australia Bank
    . Your page cannot access payment data within the iframe due to the browser’s same-origin policy.
  • Origin verification
    : The SDK validates that the hosting page origin matches the
    targetOrigins
     declared in the session.
  • Immutable API
    : The client interface returned by
    VAS.UnifiedCheckout()
     is frozen with
    Object.freeze()
    . This prevents runtime tampering.
  • Closure-based privacy
    : The internal SDK state is not accessible from outside the SDK. There are no public properties that expose session data or credentials.
  • Short-lived tokens
    : The session and transient tokens expire after a short period, limiting the window for misuse

Because
Unified Checkout
 handles payment data capture within secure iframes, your page never receives, processes, or stores cardholder data. This means that you qualify for SAQ-A over the more burdensome SAQ A-EP or SAQ D and your PCI audit scope is significantly reduced compared to direct API integrations.
Even with all that
Unified Checkout
 handles, you must still do the following to remain SAQ-A compliant:
  • All pages that load the SDK must use Transport Layer Security (TLS).
  • You must restrict which domains can load scripts and frames. For information about the required directives, see Security Recommendations.
  • You must generate a new session for each checkout and restrict
    targetOrigins
     to only your domains.
  • You must send transient tokens to your server over HTTPS and verify their signatures before authorizing payments.
RELATED TO THIS PAGE