Hello Simon,
I hope you're doing well. I'm writing to provide you with an update on the PCI DSS compliance status of SAP Commerce Cloud
The current PCI DSS v3.2.1 attestation for SAP Commerce Cloud is still valid. Even though the PCI DSS v3.2.1 standard was officially retired on March 31, 2024, the attestation does not expire. This means that if your organization's compliance requirements allow the use of an attestation under PCI DSS v3.2.1, there's no immediate concern and the existing documentation remains relevant.

However, if your organization's policies require certification under PCI DSS v4.0, I want to let you know that SAP Commerce Cloud is in the final stages of completing the PCI DSS v4.0.1 audit. We're awaiting approval from the auditor, which we expect to receive in the coming days.

It's worth noting that SAP Commerce Cloud, as a Service Provider, doesn't process, store, or transmit cardholder data. Therefore, individual customers are responsible for their own PCI compliance activities within their environments. This includes obtaining the necessary attestations and conducting periodic vulnerability scans as required.

You can request the PCI DSS AoC Report for SAP Commerce Cloud at the following link:SAP Commerce Cloud 2023 PCI DSS AoC Report

Once the new PCI DSS AoC Report is released, you'll be able to find it at the Compliance Document Finder.

For additional information, you can refer to the PCI Compliance - Help Portal.