No announcement yet.

Query about EMail received from TSYS/Propay re "PCI DSS Compliance"

  • Time
  • Show
Clear All
new posts

  • CnP.Support
    *** We are not aware of the ProPay email and have inquired about it. We will update this post once we find out ***

    Good day!

    Sorry I am surprised this question has not been answered. Strange..

    In general, PCI has 3 main points that needs to be thought of - and if ANY of the following is done by your server then you are in PCI scope and should be cerfitied.
    • Storage
    • Transmission
    • Processing
    Storage: If you are not storing any credit card information anywhere on your server then the answer is NO
    Transmission: Since you are using CONNECT forms the transmission is done through our forms. You are not transmitting and as such are not vulnerable with man-in-the-middle attack.
    Processing: If you are using our forms then we are processing and as such the answer is NO

    Your forms if embedded are fully included in our PCI scope. You do not need to be PCI certified to use our forms. BUT! let me answer this for the "good" of your organization and NOT as much for accepting credit cards.

    When you are PCI certified, at any level, it helps you with identifying possible issues with your network, servers, etc. PCI certifications has 4 levels - read this:

    The PCI Level 4, which majority of all nonprofits fall in that category, requires a self assessment and not a third party company validating you. Knowing the level 4 guidelines and adhering to those standards and practices is good no matter what you do. So we highly encourage all clients to do the self assessment and be aware of what is happening in their network.

    As for third party? Ask yourself what happens if your server is hacked? One morning you wake up and you see a nasty message on your website? Don't you wish you had known of that issue before hand?

    It is simple- to be scanned by third parties at a minimum cost may be the best investment you have made. Security is not an option that we need to impose on your but one that you need to impose on yourself.

    For example:

    The above was just some thoughts.

    Please note that if you are using the FaaS forms, Gravity Forms, WooCommerce, and all 3rd party apps that are NOT in our scope, then you are in the PCI scope and need to be certified as you are transmitting and may (MAY) be storing data since we have no control over what you may be doing from the time the data is collected to the time you post the data.

    I hope that helps answering the question and sorry that we have missed this post.

    Leave a comment:

    Please give us clear answers. We are using Click and Pledge connect forms and Click and Pledge Events. We include the links on our website.

    Do we need our website to be PCI compliant?


    Leave a comment:

  • olywebdev
    It looks like this has been addressed but not answered completely with this post:

    Essentially what I think is happening is if you use the Click&Pledge Gravity Forms plugin you have to be PCI certified which most regular Wordpress hosts like WPEngine are not. If you use the embedded forms from Click&Pledge then you are.

    Leave a comment:

  • olywebdev
    We received the same email. We're using Click&Pledge so we DON'T have to deal with this sort of certification. This is Click&Pledge's job. Why are we receiving this??

    Leave a comment:

  • Query about EMail received from TSYS/Propay re "PCI DSS Compliance"

    We've received an EMail (see below) from TSYS re "PCI DSS Compliance'.

    Is this something which C&P deals with (since we are using C&P to handle Credit cards) ? Do we need to do anything ?


    Bill Meier

    [First part of the email]
    Dear Valued Customer,

    Payment Card Industry Data Security Standard (PCI DSS) encompasses a set of requirements established to ensure that all merchants who process, store or transmit payment card information maintain a secure transaction environment. It’s important to remember that PCI DSS compliance protects both you and your customers.

    In order to ensure you have access to the resources and tools that help secure your business and ensure you are PCI DSS complainant, we partner with independent PCI validation companies. We have partnered with ControlScan to provide these services. Effective in November 2020, ControlScan is making an update to the user interface that you log into. Be assured, you will have access to the same great PCI related tools and services and we will work diligently to provide a smooth transition.