For a comprehensive list of PCI requirements, please consult the Engaging Networks Trust Center.
Nonprofits that accept credit or debit card donations are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). This global security framework exists to protect donor payment information and prevent fraud, data breaches, and misuse of cardholder data.
Your organization is responsible for ensuring that any systems or web pages under your control (including Engaging Networks payment pages) are secure and compliant. PCI DSS compliance helps nonprofits:
-
Protect sensitive donor data and trust
-
Reduce the risk of fraud or cyberattacks
-
Maintain eligibility to process card payments
-
Avoid costly fines, penalties, or reputational damage
Requirements
-
Self assessment questionnaire: complete a self-assessment questionnaire (SAQ) at least every 12 months
-
Page scanning: conduct quarterly scans of payment pages via an Approved Scanning Vendor (ASV)
-
Inventory, attestation, and authorization of scripts: maintain an inventory of scripts including the URL, purpose, and justification for the script. Additionally maintain policies to ensure only authorized scripts are loaded on payment pages
-
Tamper detection and alerting: maintain monitoring and detection of unauthorized page changes
Self-Assessment Questionnaire (SAQ)
PCI DSS v4.0
Frequency: Annual
To meet this requirement, an organization needs to do the following:
-
Determine the SAQ type applicable to your organization. Your payment processor (for example Stripe, Vantiv, iATs) can assist you with this determination
-
Locate the correct SAQ from the PCI council document library.
-
Complete the SAQ and Attestation of Compliance (AOC).
-
Store the completed documents securely with other compliance materials.
-
Provide the SAQ and AOC to your payment processor (for example Stripe, Vantiv, iATs, etc).
Page Scanning
Control: Requirement 11.3.2
Frequency: Quarterly
Engaging Networks manages this process for Smart Pages. The instructions below are applicable to page builder type pages.
To meet this requirement, an organization needs to do the following:
-
Enroll with Engaging Networks preferred Approved Scanning Vendor, ControlCase, or choose another ASV.
To submit a request to use an alternative Approved Scanning Vendor, please submit this form to start the process. Not all PCI-approved scanning vendors are compatible with Engaging Network’s environment; additional testing and coordination are needed to use an alternative scanner.
-
Download a list of pages that need to be scanned from the Engaging Networks Security Center.
-
Provide that list to the ASV for scanning.
-
Resolve any vulnerabilities revealed as part of the scan.
-
Provide the passing ASV scan results to your payment processor (for example Stripe, Vantiv, iATS, etc).
Inventory, attestation, and authorization of scripts
To meet this requirement, an organization needs to do the following:
Part 1: Inventory and attestation
Control: Requirement 6.4.3
Frequency: Quarterly
-
Build or acquire a list of all scripts being used on your Engaging Networks pages.
Engaging Networks preferred ASV, ControlCase, will provide this as part of quarterly scanning. Smart Pages do not support custom scripts so the list of Engaging Networks scripts is all that is needed for this requirement.
-
Review the list to ensure all scripts are known to you and should be in use on your pages (see list of Engaging Networks scripts below).
-
Using the list of scripts, add the script URL, purpose for having the script on the page, and attest that you are aware of the scripts, they are meant to be on the your page and you have vetted their security.
-
Provide the attestation documentation to your ASV (required to obtain a passing scan).
Here is an example that you are welcome to copy:
We confirm that the following external scripts are intentionally embedded within our payment page. Each script is essential for the functionality, analytics, security, or user experience of our site. All scripts have been reviewed and approved by our team, and we confirm that they pose no known security risks.
List of external scripts:
[script url] -- [what it is used for]
[script url] -- [what it is used for]
Part 2: Script authorization
Control: Requirement 6.4.3
Frequency: Continuous/ ongoing
There are a number of ways an organization can meet this requirement. One way is to use a Content Security Policy (CSP). A CSP can be enabled for Engaging Networks pages to help meet this requirement and an organization needs to do the following:
-
Have a list of scripts, domains and other assets used on your Engaging Networks pages.
-
Follow the instructions here to define, test, and deploy a CSP header.
-
Monitor and update CSP directives regularly and as needed.
-
Be prepared to show documentation of your controls to your QSA and/or as part of an SAQ.
Tamper detection and alerting
Control: Requirement 11.6.1
Frequency: Continuous/ ongoing
This is one way to meet this requirement. There are other ways your organization may choose to meet the requirement including using third party tools.
-
Enable CSP reporting as part of the policy (directive
report-to). -
Set up a report collection endpoint on your server.
-
Generate alerts for any unauthorized changes.
-
Monitor and review violations regularly.
-
Be prepared to show documentation of your controls to your QSA and/or as part of an SAQ.
Glossary
|
Acronym |
Full Term |
Definition |
|---|---|---|
|
AOC |
Attestation of Compliance |
A signed declaration that your organization complies with PCI DSS, submitted with the SAQ. |
|
ASV |
Approved Scanning Vendor |
A company certified by the PCI SSC to perform required external vulnerability scans. |
|
CSP |
Content Security Policy |
A security mechanism to restrict which scripts and resources can be loaded by a web page (important for script attestation). |
|
DSS |
Data Security Standard |
Refers to the core PCI DSS document (e.g., PCI DSS v4.0). |
|
PCI DSS |
Payment Card Industry Data Security Standard |
A global standard for securing credit/debit card transactions and cardholder data. |
|
QSA |
Qualified Security Assessor |
A professional or firm certified by the PCI SSC to audit and validate PCI DSS compliance. |
|
ROC |
Report on Compliance |
A detailed report generated by a Qualified Security Assessor (QSA) for larger organizations (not SAQ users). |
|
SAQ |
Self-Assessment Questionnaire |
A compliance form used by merchants to assess and report their adherence to PCI DSS. |
Below is a list of some Frequently Asked Questions, but if you don’t find the answers you are looking for, reach out to your Account Success Manager.