get PCI certified by Balanced

[chadwhitacre]

Balanced is requiring this in order to hand over bank accounts and identity info: #3377 (comment).

[chadwhitacre]

https://www.pcisecuritystandards.org/

[chadwhitacre]

Where do I start?

If you are a merchant that accepts payment cards, you are required to be compliant with the PCI Data Security Standard. You can find out your exact compliance requirements only from your payment brand or acquirer. However, before you take action, you may want to obtain background information and a general understanding of what you will need to do from the information and links here.

[chadwhitacre]

The Council is responsible for managing the security standards, while compliance with the PCI Security Standards is enforced by the payment card brands.

[chadwhitacre]

http://usa.visa.com/merchants/protect-your-business/cisp/index.jsp

[chadwhitacre]

The fine for non-compliance starts at 50,000 USD per service provider (assessed to the registering Visa member).

[chadwhitacre]

• Annual PCI Self-Assessment Questionnaire (Service Provider)
• Quarterly Network Scan (Approved Scanning Vendor)

[chadwhitacre]

Validation procedures and documentation

PCI DSS compliance validation is required every 12 months for all Level 1 and Level 2 service providers. [...] Level 2 Service Providers must submit a signed SAQ-D[.] All materials must be sent to [email protected].

[chadwhitacre]

https://www.pcisecuritystandards.org/documents/SAQ_D_v3_Merchant.pdf (82 pages)

[chadwhitacre]

There are multiple versions of the PCI DSS SAQ to meet various business scenarios. A chart to help you determine which SAQ best applies to you and how to complete the SAQ is linked below, and is also included in the Instructions and Guidelines Document.

https://www.pcisecuritystandards.org/merchants/self_assessment_form.php

[chadwhitacre]

The PCI DSS SAQ consists of two components: a set of questions corresponding to the PCI DSS requirements, which are appropriate to service providers and merchants, and an Attestation of Compliance. The Attestation is your certification that you are eligible to perform and have performed the appropriate Self-Assessment.

[chadwhitacre]

Actually, there's no such thing as PCI certification. The PCI SSC establishes guidelines, but it's up to companies-that-care to implement concrete compliance programs. In this case the company that cares is Balanced, and it looks like I'm using #3377 to record my conversation with them about the specifics of their compliance program.

[chadwhitacre]

Actually, we still may as well use this issue to track our compliance process with Balanced.

[chadwhitacre]

Picking up from #3377 (comment):

From: Balanced

Let me speak with our in-house counsel to see what the precedent is for us here, and I'll get back to you.

[chadwhitacre]

To: Balanced

Thanks. Let me know if we need to drop to phone ...

[chadwhitacre]

"Navigating PCI DSS: Understanding the Intent of the Requirements"
https://www.pcisecuritystandards.org/documents/navigating_dss_v20.pdf

[chadwhitacre]

To: Balanced

I reviewed the SAQ Instructions and Guidelines document, and it looks like SAQ-D is indeed the most appropriate SAQ variant for our situation. Any update on whether Balanced will be able to accept a SAQ-D AOC along with a qualified network scan as validation of Gratipay's PCI DSS compliance for purposes of transferring bank account and identity information?

[chadwhitacre]

From: Balanced (different person, compliance?)

Unfortunately, no we won't unless you get audited and certified. That said, I would suggest using spreedly.

To: Balanced:

Sorry to pester ... was it clear that we were asking for bank accounts and not credit cards? I only ask because you suggested Spreedly and they don't really deal with bank accounts. We're not asking for credit cards, we're asking for bank accounts.

[chadwhitacre]

From: Balanced

Sorry, misread that. Can you tell us who your provider is? Ideally we'd just provide the info over to them.

Otherwise we can schedule a call with you next week.

To: Balanced

Our bank is Citizens and we're in the process of setting up an ACH account with them so we can upload NACHA files directly (we're planning to use Braintree for credit cards but weren't able to make it work with them for ACH).

Do either of these times work for you next week?

Monday, May 11 at 10:00 AM US/Pacific
Wednesday, May 13 at 10:00 AM US/Pacific

[chadwhitacre]

This is no longer necessary, as we're not trying to run ACH ourselves anymore, having been rejected by Citizens (#3366).