PCI compliance

This article explains PCI DSS compliance for Finalsite Forms payments, including why schools don't need to prove their own compliance and which SAQ questionnaire to file.

💡Quick answers

  • Does a school's website need to be PCI compliant? No; the website and Finalsite are not the merchant handling or storing cardholder data, so PCI attestation does not apply to the site itself.
  • Who actually processes and stores credit card data? HostedPCI (HPCI) is the merchant service provider with access to cardholder data, and Finalsite has partnered with HPCI and Bluesnap for PCI-compliant payment processing.
  • Which SAQ questionnaire should schools fill out? Only the SAQ Type A questionnaire is needed if you're processing credit card payments through the HPCI system.
  • How do you complete an SAQ questionnaire correctly for Finalsite? Indicate HPCI as the third-party processor on the questionnaire, which allows you to bypass the requirement to scan your website.
  • Is this article for Forms or legacy Forms Manager users? This article applies to the newer Forms product; legacy Forms Manager users should refer to separate help documentation.

Clients often ask about Payment Card Industry Data Security Standard (PCI DSS) compliance. Finalsite has partnered with HostedPCI (HPCI) and Bluesnap to provide PCI-compliant payment solutions through our software. This means Finalsite does not process or store banking or credit card information within our hosting environment; payments are processed by PCI-compliant gateway providers.

This article refers to our newest product, Forms, which is available to you in your modules list. You may be a Legacy Forms Manager user which has a different set of help documentation. 

Not sure? Please review "Which forms module do I have: New Forms or Legacy Forms Manager?" 

You should not need to prove the PCI compliance of your website as your website/Finalsite is not the merchant handling/storing card data. PCI attestation only applies to those merchants or service providers who handle or store cardholder data.

HostedPCI is your merchant service provider and is the only link in the chain that actually has access to the cardholder's data. Their attestation of compliance can be found here:

https://www.hostedpci.com/pci-compliant/
http://www.visa.com/splisting/searchGrsp.do?companyNameCriteria=HostedPCI 

Clients will need to go to their SAQ questionnaire to change the response so that HPCI is indicated as the third-party processor, and bypass the requirement to scan their website.

You should only need to fill out the SAQ Type A questionnaire if you're processing credit card payments through the HPCI system.

Was this article helpful?
4 out of 6 found this helpful

Comments

0 comments

Please Sign in to leave a comment if you don't see the comment box below.