...
Expand | ||
---|---|---|
| ||
PCI DSS was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally. It provides a baseline of technical and operational requirements designed to protect payment account data. |
Expand | ||
---|---|---|
| ||
PCI DSS is applicable to entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). This includes all entities involved in payment card processing - including merchants, processors, acquirers, issuers, and service providers. For Engaging Networks, this includes clients -- who are considered "merchants". |
Expand | ||
---|---|---|
| ||
Yes, all merchants, regardless of size, must comply with the Payment Card Industry Security Standards. This is typically because merchants either store, process or transmit cardholder data; however, with the new version 4 requirements, customized payment pages also must comply since they could impact the security of the cardholder data environment by allowing vulnerabilities to put payment data at risk. |
Expand | ||
---|---|---|
| ||
Engaging Networks must certify annually, via an external Qualified Security Assessor (QSA). An Attestation of Compliance (AOC) report is prepared at the conclusion. |
Expand | ||
---|---|---|
| ||
Clients need to follow PCI Data Security Standards, especially concerning the use of external libraries on payment pages and scanning for vulnerabilities on payment pages. Every merchant is required to complete a self-assessment questionnaire at least every 12 months. In addition, every merchant must also conduct quarterly scans of payment pages via an Approved Scanning Vendor (ASV) |
Expand | ||
---|---|---|
| ||
Yes. The PCI DSS Attestation of Compliance can be shared with clients upon request, according to applicable Participating Payment Brand rules. Clients should contact the payment brands directly for information about their compliance programs and reporting requirements. |
Expand | ||
---|---|---|
| ||
Implement a process where at the end of a particular campaign, all related pages are closed and redirected to your main donation page. Making this a best-practice will ensure that your account does not end up with too many open and unused pages. Closing or deleting pages that are no longer needed will reduce your exposure to spam and fraud attacks by limiting the number of entry points for bad actors, and will reduce your overall account administration needs as you will have fewer pages to maintain. Use our handy low-volume page report to help with this! |
Expand | ||
---|---|---|
| ||
By 20th January 2025, clients should know who their ASV scanner is going to be and should have initiated scanning. By 14th February 2025, the ASV will have shared a pass/fail status with Engaging Networks. By 1st March 2025, Engaging Networks has to submit documentation for compliance |
Expand | ||
---|---|---|
| ||
Any page that takes payment, such as donation and events pages, need to be scanned. It doesn’t matter how much the page raises, the currency, or payment type |
Expand | ||
---|---|---|
| ||
A PCI ASV scan is a vulnerability scan that checks for security flaws. Quarterly (every 90 days) scans are required by the Payment Card Industry (PCI) Data Security Standard (DSS) for organizations that accept payment cards. An Approved Scanning Vendor (ASV) must perform the scan. The results of the scan will be included in a report, alerting you to any vulnerabilities that were found. If security flaws are not fixed, you may be fined or lose your ability to accept credit card payments. Regular vulnerability scans are necessary to identify and mitigate security risks associated with cardholder data. |
Expand | ||
---|---|---|
| ||
Engaging Networks allows clients to customize payment pages, including adding external code and libraries. This customization offers flexibility but may also introduce potential security risks. Customized payment pages with external libraries can introduce vulnerabilities, such as cross-site scripting (XSS) or insecure dependencies. ASV scans help identify and mitigate these risks. |
Expand | ||
---|---|---|
| ||
Clients will be responsible for having ASV scans performed on their payment pages. EN has selected ControlCase to be our preferred ASV scanner. |
Expand | ||
---|---|---|
| ||
Yes. Annually, clients will pay ControlCase directly for their services. Part of the reason why we have selected ControlCase is the fair price we have negotiated on behalf of our clients. The cost for the scans will depend on the number of payment pages that need to be scanned (this includes any page that accepts credit cards, including peer-to-peer sites). Most organizations can expect the cost to range from USD $600 to USD $2,500 per year (around GBP £475 to GBP £1,980, or CAD $840 to $3490, or €570 to €2,370). Clients will confirm their fee with ControlCase once they begin working with them. |
Expand | ||
---|---|---|
| ||
It is possible to use another vendor - a list of approved scanning vendors can be found here. However, please note that not all scanners will work in the Engaging Networks environment so please get in touch with your Account Manager to confirm this first. Because of this, we highly recommend ControlCase for their expertise and fair pricing, which we secured through bulk rates shared among multiple clients. They are approved by the PCI council, and have over 15 years of experience in cybersecurity and compliance services. | ||
Expand | ||
| ||
After comprehensive evaluation and testing, we are confident in ControlCase's software and expertise, and believe that they will deliver solid care and attention to our clients at a fair price. Approved by the PCI council, with over 15 years of experience in cybersecurity and compliance services, ControlCase is well-equipped to help clients identify vulnerabilities, stay ahead of potential threats, and ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS). They will also handle the step by step process with you |
Expand | ||
---|---|---|
| ||
It is possible to use another vendor - a list of approved scanning vendors can be found here. However, please note that not all scanners will work in the Engaging Networks environment so please get in touch with your Account Manager to confirm this first. Because of this, we highly recommend ControlCase for their expertise and fair pricing, which we secured through bulk rates shared among multiple clients. They are approved by the PCI council, and have over 15 years of experience in cybersecurity and compliance services. |
Expand | ||
---|---|---|
| ||
The team at ControlCase will work closely with you to ensure a smooth scanning process, with minimal disruption to your operations. You will sign a contract with, and pay, ControlCase directly for their services. |
Expand | ||
---|---|---|
| ||
Yes. Annually, clients will pay ControlCase directly for their services. Part of the reason why EN has selected ControlCase is the fair price we have negotiated on behalf of our clients. The cost for the scans will depend on the number of payment pages that need to be scanned (this includes any page that accepts credit cards, including peer-to-peer sites). Most organizations can expect the cost to range from USD $600 to USD $2,500 per year (GBP CAD $840 to $3,500, £475 to GBP £1,980, or €575 to €2,400). Clients will confirm their fee with ControlCase once they begin working with them. |
Expand | ||
---|---|---|
| ||
Engaging Networks allows extensive customization of payment pages, including the addition of external code libraries and custom scripts, providing clients with greater flexibility. However, this customization also increases the complexity of the security landscape, as customized code and external libraries can introduce additional vulnerabilities that need to be monitored and managed. In contrast, some competitor platforms do not allow this level of customization, opting instead for standardized, closed payment pages. Without external code or libraries that clients control, these platforms have a more uniform and controlled security environment, often managed entirely by the payment processor. As a result, competitor platforms may not require ASV scans, as they have fewer exposure points and the payment processor handles the security of their payment flows. For those clients who do not need/value the level of customization mentioned above, we are developing Quick Pages which is an option to bypass so much of this scanning hassle. I still need to get the exact language for this that we are comfortable with sharing externally | ||
Expand | ||
| ||
Enroll with ControlCase via this link |
...