Welcome Guest
Login
Magic Sign-On
Remote Authentication
Home
Magic Sign On
Apps
System Apps
Directory
Help
Language
Random Channel
Report Bug
Search
Thu, 10 Oct 2024 16:53:53 -0500
View Profile
Emelia 👸🏻
thisismissem@hachyderm.io
So Stripe wants me to complete PCI DSS for my Ko-fi account because apparently the transaction volume is sufficient to trigger their systems to require it?
I am very lost here.
Link to Source
show all
25 comments
Thu, 10 Oct 2024 17:14:03 -0500
View Profile
Emelia 👸🏻
thisismissem@hachyderm.io
Invoices aren't covered by PCI DSS right? I'd find that hard to believe since literally everyone needs to process those for bookkeeping, accounting and taxation purposes.
Stripe's trying to argue that because I have access to the card holder name via Invoices, that I need PCI DSS compliance, which is just.. uh.. no? as far as I know?
Link to Source
Thu, 10 Oct 2024 17:14:23 -0500
View Profile
Emelia 👸🏻
thisismissem@hachyderm.io
Also, I'm not a company with multiple employees, I'm literally a freelancer.
Link to Source
Thu, 10 Oct 2024 18:03:14 -0500
View Profile
Hugh
hugh@social.crablab.uk
@thisismissem
No? You're using their hosted forms and stuff, right? You're not directly processing the card data through your backend?
What exactly have they said? This sounds very odd.
Link to Source
Thu, 10 Oct 2024 18:07:42 -0500
View Profile
Emelia 👸🏻
thisismissem@hachyderm.io
@hugh
I've told them all this, told them I only have access to what Stripe's API gives me and only to generate invoices from my laptop, but they still hold firm that I need PCI DSS compliance information submitted.
Link to Source
Thu, 10 Oct 2024 20:07:38 -0500
View Profile
Joe Scharf
joe@m.joescharf.com
@thisismissem
@hugh
can’t you just do the self assessment questionnaire? Still odd tho.
https://east.pcisecuritystandards.org/pci_security/completing_self_assessment
Link to Source
Thu, 10 Oct 2024 20:20:31 -0500
View Profile
Emelia 👸🏻
thisismissem@hachyderm.io
@joe
@hugh
that's what they want but literally nothing in there is relevant to me, from what I can tell?
Link to Source
Thu, 10 Oct 2024 20:25:57 -0500
View Profile
Emelia 👸🏻
thisismissem@hachyderm.io
@joe
@hugh
specifically, I'm not processing card information, besides having access to the customer's name, which would be on my invoices anyway.
Technically I do have access to the last 4 digits + expiry + country of issue for the card, but that's because by virtue of Stripe you have access to that.
Link to Source
Thu, 10 Oct 2024 20:26:56 -0500
View Profile
Emelia 👸🏻
thisismissem@hachyderm.io
@joe
@hugh
I wouldn't have thought grabbing transactions so I can create invoices which I can upload to my accounting software (SaaS) would be covered by PCI DSS, because then literally everyone would need to deal with PCI DSS when processing invoices for accounting purposes.
Link to Source
Thu, 10 Oct 2024 20:33:21 -0500
View Profile
Joe Scharf
joe@m.joescharf.com
@thisismissem
@hugh
right so I think you choose questionnaire A.
Link to Source
Thu, 10 Oct 2024 20:44:42 -0500
View Profile
Emelia 👸🏻
thisismissem@hachyderm.io
@joe
@hugh
yes, but even then it's asking for my company information, there is no company, I'm a freelance/independent. It's asking me for documentation that I keep everything secure, I don't have documentation but of course I try to, it's asking for facilities and corporate office and data centres. The data literally exists in memory on my laptop whilst I generate a pdf invoice, that's it
Link to Source
Thu, 10 Oct 2024 20:46:05 -0500
View Profile
Emelia 👸🏻
thisismissem@hachyderm.io
@joe
@hugh
I don't host the payment pages, that's ko-fi. The only reason I use the API for transactions is because ko-fi refuses to generate pdf invoices per transaction
Link to Source
Thu, 10 Oct 2024 20:47:24 -0500
View Profile
Emelia 👸🏻
thisismissem@hachyderm.io
@joe
@hugh
I've only processed 245 payments this year, so well below any threshold, surely?
Link to Source
Thu, 10 Oct 2024 20:57:03 -0500
View Profile
Joe Scharf
joe@m.joescharf.com
@thisismissem
@hugh
yeah seems ridiculous for sure. As for the survey maybe just a lot of N/A and no company just put freelancer. Sometimes it’s just that the company wants to check the box and when they get your survey responses that indicate that the whole thing is a silly exercise they might just move on with life. I personally haven’t had to go thru this process but I’m aware of it. I’ve had to deal with many other similar ones for other situations tho
Link to Source
Thu, 10 Oct 2024 21:25:35 -0500
last edited: Thu, 10 Oct 2024 21:30:50 -0500
View Profile
Scott M. Stolz
scott@authorship.studio
@
Emelia 👸🏻
With all of the security breaches lately, I can understand why they are concerned. And you literally agreed to be PCI compliant when you agreed to their terms.
As far as the company name goes, you can put your real name there, since you don't have a corporation or LLC. From a legal standpoint, you are a sole proprietorship. You are a business and you are the business.
When you fill out their questionnaire, answer as if you were a small company of one person, which is legally what you are.
Link to Source
Thu, 10 Oct 2024 21:37:28 -0500
View Profile
Scott M. Stolz
scott@authorship.studio
@
Emelia 👸🏻
The biggest thing with PCI compliance is your behavior regarding security.
Is your computer equipment password protected? Do you allow other people, especially third parties, access your computer unsupervised? Do you share the invoice information with third parties? Are you using SSL when transmitting sensitive information? Are you avoiding unencrypted channels, like email, when transmitting sensitive information? Do you have anti-malware and anti-virus protection?
Et cetera
.
If you are making sure the data is secure, then you are PCI compliant. You just have to communicate that to them in a way they understand.
Link to Source
Thu, 10 Oct 2024 22:08:50 -0500
View Profile
Scott M. Stolz
scott@authorship.studio
@
Emelia 👸🏻
For example, if they ask if all employees or users have a unique ID, the answer would be yes if your computer is password protected and you are the only one who knows the password.
So, any questions about employees, staff, or users applies to you. You have a staff of 1.
Link to Source
Fri, 11 Oct 2024 01:56:10 -0500
View Profile
Henryk Plötz
henryk@chaos.social
@thisismissem
The PCI rules changed, starting April this year. It's all very bonkers. Now, even if you embed (iframe) an existing payment form, or even just *link* to it, you land in the category that needs an external scan by an authorized scanning vendor ($$$).
The only option that's exempt is if you don't even link/forward to the payment form, which presumably means that the link is in an email.
Our PSP looked at us and said "yeah, no, you're too small, we'll mark you as autocompliant".
Link to Source
1
Scott M. Stolz
Fri, 11 Oct 2024 05:23:58 -0500
View Profile
Emelia 👸🏻
thisismissem@hachyderm.io
@henryk
that's madness like I thought.
Link to Source
Fri, 11 Oct 2024 07:30:36 -0500
View Profile
Scott M. Stolz
scott@authorship.studio
@
Henryk Plötz
That is insane. Simply linking to someone else's form should not trigger a PCI audit. In fact, the whole purpose of linking to someone else's form is so that THEY handle the payment processing and PCI compliance falls upon them.
cc: @
Emelia 👸🏻
Link to Source
Fri, 11 Oct 2024 08:36:54 -0500
View Profile
Emelia 👸🏻
thisismissem@hachyderm.io
@scott
yeah, so I don't host any payments pages, yes, I process the sales invoices created during the payment process and some information related to transactions (customer name, address, line items) to generate invoices because Ko-fi doesn't.
Stripe is arguing that therefore I need PCI DSS compliance & auditing — I never seen card information besides the last 4 digits & expiration when in the stripe dashboard or accessing the stripe API from my laptop.
Link to Source
1
Scott M. Stolz
Fri, 11 Oct 2024 08:50:38 -0500
View Profile
Scott M. Stolz
scott@authorship.studio
@
Emelia 👸🏻
This is a bit overkill by them. At least they only want the self-assessment.
As I mentioned earlier, just answer the questions as if you are a one person company, and you should be fine. You are technical enough to know how to secure data, so you just have to tell them that... via the self-assessment. Pain in the you know what, but it is manageable.
Link to Source
Fri, 11 Oct 2024 09:05:52 -0500
View Profile
Emelia 👸🏻
thisismissem@hachyderm.io
@scott
maybe I'll take another look at the form once I've had surgery. What's worse is it's not even an editable PDF, so it's harder than it should be to fill out.
Link to Source
1
Scott M. Stolz
Fri, 11 Oct 2024 10:03:46 -0500
View Profile
Scott M. Stolz
scott@authorship.studio
@
Emelia 👸🏻
Take care of yourself and don't stress about it too much. Your health comes first.
Link to Source
Fri, 11 Oct 2024 10:33:25 -0500
View Profile
Timon 🛠
timonsku@mastodon.social
@thisismissem
that seems very off yea, unless you have access to the whole credit card number too? Otherwise this should be fully Stripes responsibilty, like isn't that one of the many reasons why Stripe exists to begin with?! lol
Link to Source
1
Scott M. Stolz
Fri, 11 Oct 2024 11:36:47 -0500
View Profile
Emelia 👸🏻
thisismissem@hachyderm.io
@timonsku
yeah, I don't have the full credit card number
Link to Source
Conversation Features
Loading...
Conversation Features
Loading...
Login
Magic Sign On
Local Login
Register
Login
Email or nickname
Password
Remember me
Login
Register
Password Reset
Sign On with Magic Sign On
Sign On with Hubzilla
Remote Authentication
Sorry, you have got no notifications at the moment
.
.
.
{2}
{4}
{2}
{10}
