So Stripe wants me to complete PCI DSS for my Ko-fi account because apparently the transaction volume is sufficient to trigger their systems to require it?

Emelia 👸🏻

Also, I'm not a company with multiple employees, I'm literally a freelancer.

Hugh

@thisismissem No? You're using their hosted forms and stuff, right? You're not directly processing the card data through your backend?

What exactly have they said? This sounds very odd.

Emelia 👸🏻

@hugh I've told them all this, told them I only have access to what Stripe's API gives me and only to generate invoices from my laptop, but they still hold firm that I need PCI DSS compliance information submitted.

Joe Scharf

@thisismissem @hugh can’t you just do the self assessment questionnaire? Still odd tho.
https://east.pcisecuritystandards.org/pci_security/completing_self_assessment

Emelia 👸🏻

@joe @hugh not an option for stripe

Emelia 👸🏻

@joe @hugh that's what they want but literally nothing in there is relevant to me, from what I can tell?

Emelia 👸🏻

@joe @hugh specifically, I'm not processing card information, besides having access to the customer's name, which would be on my invoices anyway.

Technically I do have access to the last 4 digits + expiry + country of issue for the card, but that's because by virtue of Stripe you have access to that.

Emelia 👸🏻

@joe @hugh I wouldn't have thought grabbing transactions so I can create invoices which I can upload to my accounting software (SaaS) would be covered by PCI DSS, because then literally everyone would need to deal with PCI DSS when processing invoices for accounting purposes.

Joe Scharf

@thisismissem @hugh right so I think you choose questionnaire A.

Emelia 👸🏻

@joe @hugh yes, but even then it's asking for my company information, there is no company, I'm a freelance/independent. It's asking me for documentation that I keep everything secure, I don't have documentation but of course I try to, it's asking for facilities and corporate office and data centres. The data literally exists in memory on my laptop whilst I generate a pdf invoice, that's it

Emelia 👸🏻

@joe @hugh I don't host the payment pages, that's ko-fi. The only reason I use the API for transactions is because ko-fi refuses to generate pdf invoices per transaction

Emelia 👸🏻

@joe @hugh I've only processed 245 payments this year, so well below any threshold, surely?

Henryk Plötz

@thisismissem The PCI rules changed, starting April this year. It's all very bonkers. Now, even if you embed (iframe) an existing payment form, or even just *link* to it, you land in the category that needs an external scan by an authorized scanning vendor ($$$).
The only option that's exempt is if you don't even link/forward to the payment form, which presumably means that the link is in an email.

Our PSP looked at us and said "yeah, no, you're too small, we'll mark you as autocompliant".

Emelia 👸🏻

@henryk that's madness like I thought.

Scott M. Stolz

@Henryk Plötz That is insane. Simply linking to someone else's form should not trigger a PCI audit. In fact, the whole purpose of linking to someone else's form is so that THEY handle the payment processing and PCI compliance falls upon them.

cc: @Emelia

Emelia 👸🏻

@scott yeah, so I don't host any payments pages, yes, I process the sales invoices created during the payment process and some information related to transactions (customer name, address, line items) to generate invoices because Ko-fi doesn't.

Stripe is arguing that therefore I need PCI DSS compliance & auditing — I never seen card information besides the last 4 digits & expiration when in the stripe dashboard or accessing the stripe API from my laptop.

Scott M. Stolz

@Emelia

This is a bit overkill by them. At least they only want the self-assessment.

As I mentioned earlier, just answer the questions as if you are a one person company, and you should be fine. You are technical enough to know how to secure data, so you just have to tell them that... via the self-assessment. Pain in the you know what, but it is manageable.

Emelia 👸🏻

@scott maybe I'll take another look at the form once I've had surgery. What's worse is it's not even an editable PDF, so it's harder than it should be to fill out.

Timon 🛠

@thisismissem that seems very off yea, unless you have access to the whole credit card number too? Otherwise this should be fully Stripes responsibilty, like isn't that one of the many reasons why Stripe exists to begin with?! lol

Emelia 👸🏻

@timonsku yeah, I don't have the full credit card number