PCI DSS Scope Validation Report
Annual PCI DSS Scope Validation Report
SAQ Classification: SAQ-D (Merchant)
Why SAQ-D Applies
PebblePay qualifies for SAQ-D because we process and transmit cardholder data through our systems to the payment gateway (UniquePay). However, we operate under a Process/Transmit Only model with zero storage of sensitive cardholder data:
- PROCESS: We collect card data via secure HTTPS forms and process it in memory
- TRANSMIT: We transmit encrypted card data to UniquePay gateway via TLS 1.3
- NO STORAGE: We NEVER store PANs, CVVs, expiry dates, or track data - data exists only in transit
- TOKENIZATION: Payment gateway returns tokens which we store instead of card data
Payment Flow (SAQ-D)
- Customer enters card on our secure checkout (HTTPS)
- Card data encrypted immediately (TLS 1.3)
- Encrypted data transmitted to UniquePay gateway
- Gateway processes payment, returns token
- We store token + masked data only (last 4, brand)
- Full card data never written to disk/logs/DB
What We Store vs. Don't Store
- Payment token/reference ID
- Last 4 digits (masked)
- Card brand (Visa, MC, etc.)
- Transaction amount/status
- Full PAN (card number)
- CVV/CVC/security code
- Expiry date, PIN, track data
1. System Inventory Reviewed
The following systems have been identified as in-scope for PCI DSS compliance:
| System | Provider | Function | In Scope |
|---|---|---|---|
| Web Application | PebblePay (Next.js) | Payment page, checkout, merchant dashboard | Yes (CDE) |
| Database | Neon (PostgreSQL) | Stores merchant data, transactions (no PAN) | Yes |
| Hosting / CDN | Vercel | Application hosting, edge network, TLS termination | Yes |
| Payment Gateway | UniquePay | Card processing, tokenization, settlement | Yes (TPSP) |
| Email Service | Resend | Transactional emails (no cardholder data) | Connected |
2. Data Flow Review (SAQ-D - Process/Transmit Only)
The payment data flow has been reviewed and confirmed to meet SAQ-D requirements with zero storage:
Payment Data Flow (Process & Transmit - No Storage):
- Customer accesses PebblePay checkout page over HTTPS (TLS 1.3 enforced)
- Customer enters card details into our secure payment form
- Card data is immediately encrypted before submission
- Encrypted data transmitted to our server via TLS 1.3 connection
- Server processes card data in memory only - never written to disk, logs, or database
- Card data immediately forwarded (encrypted) to UniquePay gateway API
- Gateway processes payment and returns: token, last 4 digits, card brand, status
- PebblePay stores ONLY the tokenized response - full PAN discarded from memory
- Transaction complete - no sensitive card data persists anywhere in our systems
Key SAQ-D Compliance Point
As an SAQ-D merchant, we process and transmit cardholder data through our systems. However, we maintain a strict zero storage policy: card data exists only in encrypted transit between the customer, our servers, and the payment gateway. All data is encrypted for confidentiality and immediately discarded after transmission. We store only tokenized references provided by the gateway.
3. CDE Boundary Review (SAQ-D)
The Cardholder Data Environment (CDE) boundaries have been reviewed for SAQ-D compliance:
CDE Components (In-Scope for SAQ-D):
- Checkout pages (/checkout/*) - Card data entry point, encrypted forms
- Payment API routes (/api/checkout/*) - Card data processing and transmission to gateway
- Server memory during payment processing - Transient only, cleared immediately after gateway response
- TLS termination layer - Handles encrypted card data in transit
Systems Confirmed NOT Storing PAN (Out of CDE for Storage):
- Neon PostgreSQL database - Only stores tokens and masked data (last 4 digits, brand)
- Vercel logs - PAN detection and automatic redaction implemented; card data never logged
- Audit logs - No cardholder data captured; only transaction IDs and amounts
- Email notifications - No cardholder data included in any emails
4. Third-Party Review
All third-party service providers have been reviewed for continued PCI DSS compliance:
| Provider | Service | PCI Status | Last Verified |
|---|---|---|---|
| Vercel | Hosting, CDN, Edge Network | PCI DSS Compliant | 7 March 2026 |
| Neon | PostgreSQL Database | SOC 2 Type II | 7 March 2026 |
| UniquePay | Payment Gateway, Card Processing | PCI DSS Level 1 Service Provider | 7 March 2026 |
| Supabase | Authentication | SOC 2 Type II | 7 March 2026 |
5. Segmentation Review
Network segmentation status has been reviewed:
Segmentation Status: Logical Segmentation
As a cloud-native application using serverless architecture, traditional network segmentation is replaced by logical segmentation controls:
- All traffic encrypted via TLS 1.3 (enforced by HSTS)
- Database access restricted to application service only (connection pooling)
- No direct database access from public internet
- API routes protected by authentication middleware
- Admin functions require elevated privileges and 2FA
- Payment endpoints have additional rate limiting and validation
6. Conclusion
Based on this annual review, no changes to PCI DSS scope have been identified.
- SAQ-D classification confirmed: Process/Transmit only with zero storage
- All in-scope systems have been documented and verified
- Data flows remain consistent with documented architecture
- CDE boundaries are correctly defined and maintained
- Third-party providers maintain required compliance certifications
- Compensating controls are in place where traditional segmentation does not apply