Atlassian uses cookies to improve your browsing experience, perform analytics and research, and conduct advertising. Accept all cookies to indicate that you agree to our use of cookies on your device. Atlassian cookies and tracking notice, (opens new window)
complete a self-assessment questionnaire at least every 12 months
conduct quarterly scans of payment pages via an Approved Scanning Vendor (ASV)
These two tasks are new requirements for our clients and we are doing everything we can to help.
These new PCI requirements are the responsibility of anyone who is processing payments, regardless of the platform you are using.
Ideally, we would all use the same Approved Scanning Vendor as this will cut down on costs and administration for you as our client and for Engaging Networks when working with ASVs who will be scanning your pages.
After six months of market review and analysis, we have selected ControlCase as our preferred Approved Scanning Vendor (ASV) for our clients.
By choosing to work with ControlCase, you will save time and money because we have already mapped out a plan with them to make your quarterly PCI scans simple and secure.
Here is a breakdown of timelines:
Timelines
By 20th January 2025, it is suggested that clients be signed up with a ASV scanner and initiated scanning
By 14th February 2025, the ASV will have shared a pass/fail status with Engaging Networks
By 1st March 2025, Engaging Networks will submit documentation for compliance
To get started, enroll with ControlCase via this link.
Below is a list of some Frequently Asked Questions, but if you don’t find the answers you are looking for, reach out to your Account Success Manager.
FAQs
PCI DSS was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally. It provides a baseline of technical and operational requirements designed to protect payment account data.
PCI DSS is applicable to entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). This includes all entities involved in payment card processing - including merchants, processors, acquirers, issuers, and service providers. For Engaging Networks, this includes clients -- who are considered "merchants".
Yes, all merchants, regardless of size, must comply with the Payment Card Industry Security Standards. This is typically because merchants either store, process or transmit cardholder data; however, with the new version 4 requirements, customized payment pages also must comply since they could impact the security of the cardholder data environment by allowing vulnerabilities to put payment data at risk.
Engaging Networks must certify annually, via an external Qualified Security Assessor (QSA). An Attestation of Compliance (AOC) report is prepared at the conclusion.
Clients need to follow PCI Data Security Standards, especially concerning the use of external libraries on payment pages and scanning for vulnerabilities on payment pages. Every merchant is required to complete a self-assessment questionnaire at least every 12 months. In addition, every merchant must also conduct quarterly scans of payment pages via an Approved Scanning Vendor (ASV)
Yes. The PCI DSS Attestation of Compliance can be shared with clients upon request, according to applicable Participating Payment Brand rules. Clients should contact the payment brands directly for information about their compliance programs and reporting requirements.
Implement a process where at the end of a particular campaign, all related pages are closed and redirected to your main donation page. Making this a best-practice will ensure that your account does not end up with too many open and unused pages. Closing or deleting pages that are no longer needed will reduce your exposure to spam and fraud attacks by limiting the number of entry points for bad actors, and will reduce your overall account administration needs as you will have fewer pages to maintain. Use our handy low-volume page report to help with this!
By 20th January 2025, clients should know who their ASV scanner is going to be and should have initiated scanning. By 14th February 2025, the ASV will have shared a pass/fail status with Engaging Networks. By 1st March 2025, Engaging Networks has to submit documentation for compliance
Any page that takes payment, such as donation and events pages, need to be scanned. It doesn’t matter how much the page raises, the currency, or payment type
A PCI ASV scan is a vulnerability scan that checks for security flaws. Quarterly (every 90 days) scans are required by the Payment Card Industry (PCI) Data Security Standard (DSS) for organizations that accept payment cards. An Approved Scanning Vendor (ASV) must perform the scan. The results of the scan will be included in a report, alerting you to any vulnerabilities that were found. If security flaws are not fixed, you may be fined or lose your ability to accept credit card payments. Regular vulnerability scans are necessary to identify and mitigate security risks associated with cardholder data.
Engaging Networks allows clients to customize payment pages, including adding external code and libraries. This customization offers flexibility but may also introduce potential security risks. Customized payment pages with external libraries can introduce vulnerabilities, such as cross-site scripting (XSS) or insecure dependencies. ASV scans help identify and mitigate these risks.
Clients will be responsible for having ASV scans performed on their payment pages. EN has selected ControlCase to be our preferred ASV scanner.
After comprehensive evaluation and testing, we are confident in ControlCase's software and expertise, and believe that they will deliver solid care and attention to our clients at a fair price. Approved by the PCI council, with over 15 years of experience in cybersecurity and compliance services, ControlCase is well-equipped to help clients identify vulnerabilities, stay ahead of potential threats, and ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS). They will also handle the step by step process with you
It is possible to use another vendor - a list of approved scanning vendors can be found here. However, please note that not all scanners will work in the Engaging Networks environment so please get in touch with your Account Manager to confirm this first.
Because of this, we highly recommend ControlCase for their expertise and fair pricing, which we secured through bulk rates shared among multiple clients. They are approved by the PCI council, and have over 15 years of experience in cybersecurity and compliance services.
The team at ControlCase will work closely with you to ensure a smooth scanning process, with minimal disruption to your operations. You will sign a contract with, and pay, ControlCase directly for their services.
ControlCase does not do any remediation themselves, but they will walk you through what needs to be fixed. If you need support to implement a fix, we can provide a list of Accredited Partners who are very familiar with this work.
We will continue to perform scans each week to help detect and find vulnerabilities on client pages. We will update the scans results page each week as well, but this is not a substitute for scanning by a PCI Council Approved Scanning Vendor ("ASV"). This is simply to help you achieve a clean scan each quarter from an ASV and ultimately, to keep your pages and the Engaging Networks platform safe and in compliance with PCI rules.
ControlCase lets us know every time a client enrolls in their services. At that time, we provide a list of page URLs to ControlCase. From there, you will work with ControlCase to determine how many of those pages will need scanning.
Yes, all of our Accredited Partners are receiving all of this information as well, and many of them would be more than happy to help you. Please reach out to your Account Success Manager and we can recommend someone to work with.
Reasons above and beyond vulnerable javascript libraries, include (but are not limited to) cross-site scripting, SQL injection, error handling, security patches, iframes, and input validation. Note, an example summary scan report from ControlCase is available for download from our Trust Center under the Resources section titled 'PCI DSS Related Documents'.
If the page is accessible from the Internet, and someone can input credit card data, or debit card data, it must be included in the scan. You will have an opportunity to verify what is in scope with ControlCase.
The list provided to ControlCase does not include all potential variations of a single page. Clients using locales and profiles on their pages should raise this with their scanning vendor to determine the final scope of their scan.
Engaging Networks is responsible for scanning these pages, so they are not included in the scope for clients.
That's correct. If the page is closed and cannot be interacted with via the Internet, then it does not need to be scanned.
Even pages with a "New" status are accessible online with the ?mode=DEMO URL parameter. If the page is accessible from the Internet and someone can input credit card data, it must be included in the scan. You will have an opportunity to verify what is in scope with ControlCase.
Pages in the legacy P2P tool are not included in the EN page list/count that is currently provided to ControlCase, but ControlCase has been made aware of any P2P clients so that they can discuss with you directly what the scope of your scanning should be.
The PCI-DSS ASV scan requirement only applies to pages where credit card data can be entered, which includes the following page types: Donation, Premium Donation, Symbolic Giving, Membership, Peer-to-peer, and Events. Other page types do not require ASV scanning.
If the sandbox account is set up with a payment gateway and has pages where credit card data can be entered, which includes the following page types: Donation, Premium Donation, Symbolic Giving, Membership, Peer-to-peer, and Events -- then yes, the sandbox pages should be included in the scan.
Engaging Networks has set up a dedicated domain that the ControlCase will use to conduct ASV scanning. So clients will only be charged for 1 domain, regardless of how many custom hostname/SSL certificates they use.
No, that will not be required. When it comes time for quarterly scanning, an updated page count will be provided.
If the page is accessible from the Internet and someone can input credit card data, it must be included in the scan. Even pages with a "New" status are accessible online with the ?mode=DEMO URL parameter. When the list of your pages is sent to ControlCase, it would include any Donation Pages you have, and then you will work with ControlCase directly to verify what is in scope. If a donation page does not have credit card fields on it, then it would be removed from the scope.
The Engaging Networks system allows customization to happen at the page level, so all pages where credit card data can be entered (Donation, Premium Donation, Symbolic Giving, Membership, Peer-to-peer, and Events) will be included in the file sent to the Approved Scanning Vendor. It is up to the client to work with the vendor to determine the ultimate scope of the scan.
Pages using a test gateway would be included in the list of pages sent to ControlCase; however, it is up to the client to work with the scanning vendor to determine the ultimate scope of what is scanned.
Clients will need to check with their gateway/merchants on their individual reporting schedules.