Helping a Non-Profit with their PCI-DSS process

477 Views | 6 Replies | Last: 1 yr ago by bqce
bqce
How long do you want to ignore this user?
AG
I'm in the Dallas area, and I've agreed to help this organization with their basic IT stuff. They do a fairly significant amount of credit card processing (~ $700k annually - not Dick's Sporting Goods significant, but enough to make me want to do it right ) and I'm trying to help them complete the Self-Assessment Questionnaire D and Attestation of Compliance. I think I also need someone to perform the penetration scans.

Is there a company in the area that does this sort of thing? I've researched this topic on The Nerdery and found posts going back to 2007. It's really interesting to see how things have evolved. So, that's my question to the magnificent TexAgs Nerdery.
86 Tex Ag
How long do you want to ignore this user?
AG
Are these donations or sales? If donations, why isn't that all taken take of by the donor database software system they use, such as DonorPerfect? There are a whole bunch of software products that have credit card processing for nonprofits. The nonprofit doesn't store a darn thing.
bqce
How long do you want to ignore this user?
AG
It's a non-profit, but the transactions are POS. I"m still digging into the guts of the operations, but I haven't been able to narrow down how all this stuff is processed. I'm supposed to meet with the GM and accountant this week to see what vendors are involved in the payment system and how they might help us with our certification. I appreciate your input.
86 Tex Ag
How long do you want to ignore this user?
AG
I have to think the POS system handles it too. For example, some nonprofits use Square for POS. As long as you use their system (the readers, hardware, software), Square is the merchant of record and handles this.

" Providing you use Square for all storage, processing, and transmission of your customers' card data, you don't need to take any steps to validate your PCI compliance to Square, and you don't need to pay any PCI-compliance fees."
satexas
How long do you want to ignore this user?
AG
bqce said:

…. to see what vendors are involved in the payment system and how they might help us with our certification…

This is what has to happen first, fact finding. Until you really know exactly what you're dealing with, any advice here is pre speculation.

Need the facts first.

Processor, hardware, network layout, etc.
Rex Racer
How long do you want to ignore this user?
AG
Use a service like Touchnet, Cybersource, Authorize Dot Net, etc. Then you only have to do the PCI-SAQ. Let the service handle the credit card transaction completely. Do not store the card information on your servers.
bqce
How long do you want to ignore this user?
AG
We've got a meeting with our processor and they're going to help us with the certification. Thanks all for the input. Some of this seems intuitive, but with the previous admin here, it's sometimes muddled.
Refresh
Page 1 of 1
 
×
subscribe Verify your student status
See Subscription Benefits
Trial only available to users who have never subscribed or participated in a previous trial.