/
Payment page security scanning for PCI Compliance

Payment page security scanning for PCI Compliance

Owned by Corin Hartley-Pearce
Last updated: Jan 08, 2025 by Sam Louk
8 min read

As a client of Engaging Networks using our Fundraising, Events, or Peer to Peer pages, you need to follow Payment Card Industry Data Security Standards (PCI DSS).

This means you are required to:

  1. complete a self-assessment questionnaire at least every 12 months

  2. conduct quarterly scans of payment pages via an Approved Scanning Vendor (ASV)

These two tasks are new requirements for our clients and we are doing everything we can to help.

These new PCI requirements are the responsibility of anyone who is processing payments, regardless of the platform you are using.

Ideally, we would all use the same Approved Scanning Vendor as this will cut down on costs and administration for you as our client and for Engaging Networks when working with ASVs who will be scanning your pages.

After six months of market review and analysis, we have selected ControlCase as our preferred Approved Scanning Vendor (ASV) for our clients.

By choosing to work with ControlCase, you will save time and money because we have already mapped out a plan with them to make your quarterly PCI scans simple and secure.

Here is a breakdown of timelines:

Timelines

  • By 20th January 2025, it is suggested that clients be signed up with a ASV scanner and initiated scanning

  • By 14th February 2025, the ASV will have shared a pass/fail status with Engaging Networks

  • By 1st March 2025, Engaging Networks will submit documentation for compliance

To get started, enroll with ControlCase via this link.

Additional Resources

  • Presentation from the Engaging Networks Community Conference

  • Compliance and Security page on the Engaging Networks corporate website

  • Vulnerability Scanning with ControlCase Webinar, 5th December 2024: Recording & Q&A document:

  • PCI DSS website

  • Engaging Networks Trust Center

Below is a list of some Frequently Asked Questions, but if you don’t find the answers you are looking for, reach out to your Account Success Manager.

FAQs

PCI DSS was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally. It provides a baseline of technical and operational requirements designed to protect payment account data.

PCI DSS is applicable to entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). This includes all entities involved in payment card processing - including merchants, processors, acquirers, issuers, and service providers. For Engaging Networks, this includes clients -- who are considered "merchants".

Yes, all merchants, regardless of size, must comply with the Payment Card Industry Security Standards. This is typically because merchants either store, process or transmit cardholder data; however, with the new version 4 requirements, customized payment pages also must comply since they could impact the security of the cardholder data environment by allowing vulnerabilities to put payment data at risk.

Engaging Networks must certify annually, via an external Qualified Security Assessor (QSA). An Attestation of Compliance (AOC) report is prepared at the conclusion.

Clients need to follow PCI Data Security Standards, especially concerning the use of external libraries on payment pages and scanning for vulnerabilities on payment pages. Every merchant is required to complete a self-assessment questionnaire at least every 12 months. In addition, every merchant must also conduct quarterly scans of payment pages via an Approved Scanning Vendor (ASV)