So Stripe wants me to complete PCI DSS for my Ko-fi account because apparently the transaction volume is sufficient to trigger their systems to require it?
-
Emelia πΈπ»replied to Emelia πΈπ» last edited by
-
@thisismissem @hugh right so I think you choose questionnaire A.
-
@joe @hugh yes, but even then it's asking for my company information, there is no company, I'm a freelance/independent. It's asking me for documentation that I keep everything secure, I don't have documentation but of course I try to, it's asking for facilities and corporate office and data centres. The data literally exists in memory on my laptop whilst I generate a pdf invoice, that's it
-
Emelia πΈπ»replied to Emelia πΈπ» last edited by
-
Emelia πΈπ»replied to Emelia πΈπ» last edited by
-
Henryk PlΓΆtzreplied to Emelia πΈπ» last edited by
@thisismissem The PCI rules changed, starting April this year. It's all very bonkers. Now, even if you embed (iframe) an existing payment form, or even just *link* to it, you land in the category that needs an external scan by an authorized scanning vendor ($$$).
The only option that's exempt is if you don't even link/forward to the payment form, which presumably means that the link is in an email.Our PSP looked at us and said "yeah, no, you're too small, we'll mark you as autocompliant".
-
Emelia πΈπ»replied to Henryk PlΓΆtz last edited by
@henryk that's madness like I thought.
-
Scott M. Stolzreplied to Henryk PlΓΆtz last edited by@Henryk PlΓΆtz That is insane. Simply linking to someone else's form should not trigger a PCI audit. In fact, the whole purpose of linking to someone else's form is so that THEY handle the payment processing and PCI compliance falls upon them.
cc: @Emelia -
Emelia πΈπ»replied to Scott M. Stolz last edited by
@scott yeah, so I don't host any payments pages, yes, I process the sales invoices created during the payment process and some information related to transactions (customer name, address, line items) to generate invoices because Ko-fi doesn't.
Stripe is arguing that therefore I need PCI DSS compliance & auditing β I never seen card information besides the last 4 digits & expiration when in the stripe dashboard or accessing the stripe API from my laptop.
-
Scott M. Stolzreplied to Emelia πΈπ» last edited by@Emelia This is a bit overkill by them. At least they only want the self-assessment.
As I mentioned earlier, just answer the questions as if you are a one person company, and you should be fine. You are technical enough to know how to secure data, so you just have to tell them that... via the self-assessment. Pain in the you know what, but it is manageable. -
Emelia πΈπ»replied to Scott M. Stolz last edited by
@scott maybe I'll take another look at the form once I've had surgery. What's worse is it's not even an editable PDF, so it's harder than it should be to fill out.
-
@thisismissem that seems very off yea, unless you have access to the whole credit card number too? Otherwise this should be fully Stripes responsibilty, like isn't that one of the many reasons why Stripe exists to begin with?! lol
-
@timonsku yeah, I don't have the full credit card number