I'd also like to know the answer to this question

Good day!

Apologies for having missed this. This requires a bit of detailed explanation and is not a YES or NO answer.

A good source: https://www.pcicomplianceguide.org/pci-faqs-2/

In general if any of the following 3 actions are taken by someone accepting credit cards, that someone needs to be PCI certified and naturally compliant. Being compliant, in general is what everyone needs to be and knowledge of PCI will go a long way to ensure the organization is security aware.

As for the actions:

1. Storage
2. Transmission
3. Processing

Storage:

Under no circumstances an organization should store the credit card information. Event at Click & Pledge we do not store the credit card. We tokenize the cards and use the tokens and the tokens are absolutely useless if compromised since using it require knowledge of a lot of other codes as well as access to 3 separate databases with 3 different companies. No single part of data can possibly be of any use. Even if all the 3 database are compromised the only action that can take place is to charge the card to the organization that was the account charged to start with. As an organization you should NOT store the card and given you are using our forms you are not in a position to save it. In GravityForm and other 3rd party apps the CC is also not saved anywhere in the system.

In summary: if you are not storing then you are not in scope for this step.

Transmission:

All networks that are involved in the transmission are within the scope of PCI. If you are using a native form then your network is in scope. If you use our forms then you are not in scope. Simple. Is your form being used to transmit the data and if the answer is yes then you may be susceptible to the key logging, etc. viruses that may reside on your network. In most cases, the servers that are hosting the GravityFrom or any other 3rd party forms, are in scope and should be PCI compliant.

Processing:

Considering that you are a C&P client, we are the one that is processing so you do not fall in scope for this.

Having covered the 3 legs of PCI, now we have to answer the question of what to do if any of the above actions is being taken by our form. In this case the transmission.

Based on your volume you need to satisfy certain requirement, if the gateway asks you to become compliant.

See: https://www.pcicomplianceguide.org/pci-faqs-2/#4

Most organizations are level 4 and as such require self assessment. This is a document that is sent by the gateway or bank asking you to self verify & answer about 4 pages of questions. The questions are fairly simple and common sense, e.g. Are you using anti-virus on the servers, are you changing password every 90 days, are you storing credit card anywhere in the system, etc. If any of these answers are not within the guidelines mandated by the standards you will be asked to follow a family of other steps. As stated, PCI is nothing but complying to common sense when it comes to security.

Click & Pledge is PCI level 1 certified. Level 1 is the same as level 4 but not self assessed. To be level 1 we go through monthly scans and are monitored in real-time by a third party for compliance. We also have annual site visits and go through quarterly controlled attacks and penetration tests. In other words, we are audited by a third party for every single question that you answer in a level 4.

We can gladly answer any other questions you may have.

Following up with this question. We're using Gravity Forms on WPEngine as well. For other payment processors like Stripe and PayPal they have a Gravity Forms add on that ensures transmission is not done through our site. It's similar to an iframe in that the credit card field is generated by their service so all field data is transmitted by their service not our site. That means our WPEngine hosted site doesn't fall within PCI compliance for transmission.

In the post above are you essentially saying your forms are handled by your service but the Gravity Form's plugin you have doesn't do this? That we are transmitting sensitive customer data through our WPEngine hosted site?

Specifically referencing this part of your response:

"All networks that are involved in the transmission are within the scope of PCI. If you are using a native form then your network is in scope. If you use our forms then you are not in scope. Simple. Is your form being used to transmit the data and if the answer is yes then you may be susceptible to the key logging, etc. viruses that may reside on your network. In most cases, the servers that are hosting the GravityFrom or any other 3rd party forms, are in scope and should be PCI compliant."