PCI DSS Compliance

PCI DSS Defined

Payment Card Industry Data Security Standard (PCI DSS) applies to the fundraising and Peer-to-Peer portions of the Engaging Networks platform, and to our clients for whom we host pages on those parts of our platform. PCI DSS is a set of security requirements to protect environments that store, process, or transmit payment card data. Because of our open platform which allows clients to customize their templates, both Engaging Networks and our clients have a shared responsibility for the security of these pages.

What is the role of Engaging Networks?

We must comply with the 12 PCI DSS requirements:

1. Install and maintain network security controls
2. Apply secure configurations to all system components
3. Protect stored account data
4. Protect cardholder data with strong cryptography during transmission over open, public networks
5. Protect all systems and networks from malicious software
6. Develop and maintain secure systems and software
7. Restrict access to system components and cardholder data by business need to know
8. Identify users and authenticate access to system components
9. Restrict physical access to cardholder data
10.  Log and monitor all access to system components and cardholder data
11.  Test security of systems and networks regularly
12.  Support information security with organizational policies and programs

• We must complete and pass an annual review by a PCI Qualified Security Assessor (QSA) in order to maintain PCI DSS Level 1 certification as demonstrated by an Attestation of Compliance (AOC)
• We will help our clients stay PCI compliant by issuing them a copy of our AOC, upon request

What do Engaging Networks’ clients need to do?

If you have payment pages on the Engaging Networks platform, then you are considered a merchant, and every merchant is required to complete a self-assessment questionnaire (SAQ) at least every 12 months to report your PCI DSS status, whether you are compliant or non-compliant. The type of SAQ is determined by the volume of credit card transactions you process each year. Contact your payment gateway (eg. PayPal, Stripe) for more information.

Additionally, payment page vulnerability scans must be completed at least every 90 days by an Approved Scanning Vendor. To help reduce the scope and cost of these scans, here are some things you can do:

• Close or delete unused or low-volume payment pages
• Update vulnerable, out-of-date libraries
• Work with your internal software developers or Engaging Networks Accredited Partners to ensure OWASP principles are being followed
• Follow and implement the PCI DSS merchant guidelines 

What happens if clients fail to comply with PCI DSS?

• To maintain a secure multi-tenant platform, Engaging Networks will close any client payment pages for which vulnerabilities have not been corrected in the posted time frame (based on the severity of the vulnerability).
• Each of the PCI founding payment brand members (American Express, Discover, JCB International, MasterCard and Visa) currently have their own PCI compliance programs for the protection of their affiliated payment card account data. Clients should contact their payment gateway directly for information about non-compliance, which could include fines and loss of the ability to process credit cards.

References:

Moneris – PCI Compliance

Stripe – PCI Compliance

PCI Security Standards Organization

Where to request Engaging Networks AOC

This version was last updated on 28 Oct 2024.