PCI Compliance {#uc_pci_compliance} =================================== The least burdensome level of Payment Card Industry (PCI) compliance is [Self-Assessment Questionnaire A (SAQ-A)](https://www.pcisecuritystandards.org/documents/SAQ_A_v3.pdf ""). To be compliant with SAQ-A, you must securely capture sensitive payment data with a validated payment provider. `Unified Checkout` meets this requirement by rendering secure iframes hosted by `Visa Acceptance Solutions`. Payment data is submitted directly to `Visa Acceptance Solutions` and never touches your systems. Security Architecture --------------------- `Unified Checkout` uses many layers of protection to be compliant with PCI SAQ-A guidelines: * **Iframe isolation** : All payment UI renders inside cross-origin iframes hosted by `Visa Acceptance Solutions`. Your page cannot access payment data within the iframe due to the browser's same-origin policy. * **Origin verification** : The SDK validates that the hosting page origin matches the `targetOrigins` declared in the session. * **Immutable API** : The client interface returned by `VAS.UnifiedCheckout()` is frozen with `Object.freeze()`. This prevents runtime tampering. * **Closure-based privacy**: The internal SDK state is not accessible from outside the SDK. There are no public properties that expose session data or credentials. * **Short-lived tokens**: The session and transient tokens expire after a short period, limiting the window for misuse Because `Unified Checkout` handles payment data capture within secure iframes, your page never receives, processes, or stores cardholder data. This means that you qualify for SAQ-A over the more burdensome SAQ A-EP or SAQ D and your PCI audit scope is significantly reduced compared to direct API integrations. Even with all that `Unified Checkout` handles, you must still do the following to remain SAQ-A compliant: * All pages that load the SDK must use Transport Layer Security (TLS). * You must restrict which domains can load scripts and frames. For information about the required directives, see [Security Recommendations](/docs/vas/en-us/unified-checkout/developer/all/rest/unified-checkout/uc-appendix/uc-security-recs.md ""). * You must generate a new session for each checkout and restrict `targetOrigins` to only your domains. * You must send transient tokens to your server over HTTPS and verify their signatures before authorizing payments.