*** We are not aware of the ProPay email and have inquired about it. We will update this post once we find out ***

Good day!

Sorry I am surprised this question has not been answered. Strange..

In general, PCI has 3 main points that needs to be thought of - and if ANY of the following is done by your server then you are in PCI scope and should be cerfitied.

• Storage
• Transmission
• Processing

Storage: If you are not storing any credit card information anywhere on your server then the answer is NO
Transmission: Since you are using CONNECT forms the transmission is done through our forms. You are not transmitting and as such are not vulnerable with man-in-the-middle attack.
Processing: If you are using our forms then we are processing and as such the answer is NO

Your forms if embedded are fully included in our PCI scope. You do not need to be PCI certified to use our forms. BUT! let me answer this for the "good" of your organization and NOT as much for accepting credit cards.

When you are PCI certified, at any level, it helps you with identifying possible issues with your network, servers, etc. PCI certifications has 4 levels - read this: https://usa.visa.com/support/small-b...ompliance.html

The PCI Level 4, which majority of all nonprofits fall in that category, requires a self assessment and not a third party company validating you. Knowing the level 4 guidelines and adhering to those standards and practices is good no matter what you do. So we highly encourage all clients to do the self assessment and be aware of what is happening in their network.

As for third party? Ask yourself what happens if your server is hacked? One morning you wake up and you see a nasty message on your website? Don't you wish you had known of that issue before hand?

It is simple- to be scanned by third parties at a minimum cost may be the best investment you have made. Security is not an option that we need to impose on your but one that you need to impose on yourself.

For example: https://www.qualys.com/cloud-platform/

The above was just some thoughts.

Please note that if you are using the FaaS forms, Gravity Forms, WooCommerce, and all 3rd party apps that are NOT in our scope, then you are in the PCI scope and need to be certified as you are transmitting and may (MAY) be storing data since we have no control over what you may be doing from the time the data is collected to the time you post the data.

I hope that helps answering the question and sorry that we have missed this post.

Please give us clear answers. We are using Click and Pledge connect forms and Click and Pledge Events. We include the links on our website.

Do we need our website to be PCI compliant?

Thanks.
Baird

It looks like this has been addressed but not answered completely with this post:
https://forums.clickandpledge.com/forum/platform-product-forums/3rd-party-integrations/gravity-forms/24634-pci-compliance

Essentially what I think is happening is if you use the Click&Pledge Gravity Forms plugin you have to be PCI certified which most regular Wordpress hosts like WPEngine are not. If you use the embedded forms from Click&Pledge then you are.

We received the same email. We're using Click&Pledge so we DON'T have to deal with this sort of certification. This is Click&Pledge's job. Why are we receiving this??