So Stripe wants me to complete PCI DSS for my Ko-fi account because apparently the transaction volume is sufficient to trigger their systems to require it?
-
So Stripe wants me to complete PCI DSS for my Ko-fi account because apparently the transaction volume is sufficient to trigger their systems to require it?
I am very lost here.
-
Emelia πΈπ»replied to Emelia πΈπ» last edited by
Invoices aren't covered by PCI DSS right? I'd find that hard to believe since literally everyone needs to process those for bookkeeping, accounting and taxation purposes.
Stripe's trying to argue that because I have access to the card holder name via Invoices, that I need PCI DSS compliance, which is just.. uh.. no? as far as I know?
-
Emelia πΈπ»replied to Emelia πΈπ» last edited by
Also, I'm not a company with multiple employees, I'm literally a freelancer.
-
@thisismissem No? You're using their hosted forms and stuff, right? You're not directly processing the card data through your backend?
What exactly have they said? This sounds very odd.
-
@hugh I've told them all this, told them I only have access to what Stripe's API gives me and only to generate invoices from my laptop, but they still hold firm that I need PCI DSS compliance information submitted.
-
@thisismissem @hugh canβt you just do the self assessment questionnaire? Still odd tho.
https://east.pcisecuritystandards.org/pci_security/completing_self_assessment -
-
-
Emelia πΈπ»replied to Emelia πΈπ» last edited by
@joe @hugh specifically, I'm not processing card information, besides having access to the customer's name, which would be on my invoices anyway.
Technically I do have access to the last 4 digits + expiry + country of issue for the card, but that's because by virtue of Stripe you have access to that.
-
Emelia πΈπ»replied to Emelia πΈπ» last edited by
-
@thisismissem @hugh right so I think you choose questionnaire A.
-
@joe @hugh yes, but even then it's asking for my company information, there is no company, I'm a freelance/independent. It's asking me for documentation that I keep everything secure, I don't have documentation but of course I try to, it's asking for facilities and corporate office and data centres. The data literally exists in memory on my laptop whilst I generate a pdf invoice, that's it
-
Emelia πΈπ»replied to Emelia πΈπ» last edited by
-
Emelia πΈπ»replied to Emelia πΈπ» last edited by
-
Henryk PlΓΆtzreplied to Emelia πΈπ» last edited by
@thisismissem The PCI rules changed, starting April this year. It's all very bonkers. Now, even if you embed (iframe) an existing payment form, or even just *link* to it, you land in the category that needs an external scan by an authorized scanning vendor ($$$).
The only option that's exempt is if you don't even link/forward to the payment form, which presumably means that the link is in an email.Our PSP looked at us and said "yeah, no, you're too small, we'll mark you as autocompliant".
-
Emelia πΈπ»replied to Henryk PlΓΆtz last edited by
@henryk that's madness like I thought.
-
Scott M. Stolzreplied to Henryk PlΓΆtz last edited by@Henryk PlΓΆtz That is insane. Simply linking to someone else's form should not trigger a PCI audit. In fact, the whole purpose of linking to someone else's form is so that THEY handle the payment processing and PCI compliance falls upon them.
cc: @Emelia -
Emelia πΈπ»replied to Scott M. Stolz last edited by
@scott yeah, so I don't host any payments pages, yes, I process the sales invoices created during the payment process and some information related to transactions (customer name, address, line items) to generate invoices because Ko-fi doesn't.
Stripe is arguing that therefore I need PCI DSS compliance & auditing β I never seen card information besides the last 4 digits & expiration when in the stripe dashboard or accessing the stripe API from my laptop.
-
Scott M. Stolzreplied to Emelia πΈπ» last edited by@Emelia This is a bit overkill by them. At least they only want the self-assessment.
As I mentioned earlier, just answer the questions as if you are a one person company, and you should be fine. You are technical enough to know how to secure data, so you just have to tell them that... via the self-assessment. Pain in the you know what, but it is manageable. -
Emelia πΈπ»replied to Scott M. Stolz last edited by
@scott maybe I'll take another look at the form once I've had surgery. What's worse is it's not even an editable PDF, so it's harder than it should be to fill out.