This guide walks through some of the common questions asked in a PCI Compliance questionnaire and how to answer them when using Givecloud.

Some of the questions in your questionnaire or checklist may not be related to your online payments with Givecloud and may have more to do with your operations.  In that case, you'll have to answer the questions to the best of your ability.

Sample Questions and Answers

Are your online customers redirected from your company's website to a payment gateway/processor hosted payment webpage/ iFrame to process card payments?

No - There is no redirects.  All payments are processed through an iframe on our site, which is SSL secured.

Do you provide your customers with the ability to enter payment card data directly into your website(s) for processing?

Yes - The payment card data is always submitted in an iframe on our website for processing.

Please select the statement which best describes how you process payment card details entered directly into your website:

✖️No - I manually process the payment by typing the card details into a point of sale terminal either at the time or else I retain the details to process at a later time or date.

✅YES - My customers payment card transactions are processed automatically. My e-Commerce website uses a payment gateway integration to communicate with the payment processor / payment service provider. (This integration could be shopping cart, payment software application, API or other payment gateway).

My website produces the payment page that requests input of the customer's payment card data and:

✖️No - My website receives the payment card data entered by my customers

✅YES - My website is set up to use a silent order post, direct post, JavaScript or similar method to ensure my website has no direct contact with my customer's payment card data.

✖️No - I don't know exactly how my company website communicates with the gateway/processor to authorise transactions. 

Can you verify or provide proof that your Payment Service Provider is PCI Compliant for the services they provide you?

Givecloud meets the requirements: http://help.givecloud.co/articles/3019993-security-compliance

Have you verified with your Payment Service Provider (PSP) that they do not pass card data back to your payment application or website?

Yes.

Please select your shopping cart provider(s) from the selection below

Givecloud

Please indicate which of the following statements best describes your payment application.

✅YES - I use an 'off the shelf' payment application provided by a software vendor, reseller or system integrator.

✖️No - My company's payment application has been written in-house by developers within my organisation.

✖️No - My company's payment application has been written specifically for my company by a third party software development company. 

Does anyone in your company or any third party (contractor/vendor/your processor) require remote access to your point-of-sale devices/payment application or other network components?

Yes - Givecloud's team provides support and our staff run reports and process payments and credit cards stored in PaySafe.

Do you receive the security/validation/verification code from your customers to authorise their transactions? This is the three or four digit number located in either the signature panel of your customer's payment card or on the front of the card.

Always during checkout.

Do you store the payment card security/validation/verification code in any electronic format? (e.g. databases, files, emails, scanned copies etc…)

Givecloud does not store the CVC.  (Comment on whether you as an organization store it.  PCI compliance requires you never store that code.)

Do you securely destroy the payment card security/validation/verification code once the transaction has been authorised?

Givecloud does not store it so there is no need for it to be destroyed.  (Comment on whether you as an organization destroy it.  PCI compliance requires you never store that code, so you shouldn't have a need for destroying it.)

Does anyone in your organisation send or receive full card numbers via email or instant messaging?

(Comment on whether you as an organization accept credit cards via email or IM.  PCI compliance recommends you never see or know someone's card number and never have it communicated in an insecure way (unencrypted email/IM).)

Does your company otherwise store, transmit or receive cardholder data electronically in any other way and for any other purpose? This could be via CD-ROM, USB drive or an internet network.

(Comment on whether you as an organization accept credit cards via email or IM.  PCI compliance recommends you never see or know someone's card number and never have it communicated in an insecure way (unencrypted email/IM).)

Do you use wireless technology anywhere in your business environment?

(Any response should suffice. Likely, 'Yes')

Is virtualisation technology used in your network?

✅YES (Givecloud runs on virtualisation technology.)

Is disk encryption used to protect cardholder data?

✅YES (Cardholder personal data is stored on an encrypted disk.)

Do you write/develop your own custom applications internally?

(Any response should suffice.)

Do you have public facing web applications in your environment?

✅YES (Donation forms, sign-up forms and the donor portal.)

Do you have facilities with sensitive areas (sensitive areas refers to any data centre, server room or any area that houses systems that store, process or transmit cardholder data. This excludes the areas where only point of sale terminals are present, such as the cashier area in a retail store)?

(Any response should suffice. Likely, 'No')

Do you permit any of your employees, contractors or vendors (particularly POS integrators or suppliers) to access systems that store cardholder data remotely?

✅YES (Givecloud will provide support from time to time, with permission.)

Do you have an active merchant account with any other merchant services provider?

(Any response should suffice. Likely, 'No')

How and in what capacity does your business store, process and/or transmit cardholder data?

We a required to store the name, address, email and phone of each donor in order to send them proper confirmation, thank you and to complete other processes such as Gift Aid applications, Tax Receipts and so on.  All this data is stored safely and securely in Givecloud with permission-based access.  (Comment on whether you also store this data in a third party CRM).

Provide a high level description of your overall business environment, applicable to your PCI DSS assessment. For example describe the type of equipment you use for card processing, storage and transmission; such as POS devices any databases and webservers, include a description as to how they connect both externally and any internal connections.

We use Givecloud to process all our payments and donations. Data entry is performed through a virtual point-of-sale accessible through Givecloud.

Did this answer your question?