PCI compliance and security
PCI compliance is only a requirement for credit card payments. Direct debit and other payment methods do not require PCI compliance.
What is PCI compliance?
The Payment Card Industry Data Security Standards (PCI DSS) is a proprietary information security standard designed to ensure that companies processing, storing or transmitting payment card information maintain a secure environment. The PCI DSS applies to credit cards from the major card brands, including Visa, MasterCard, American Express, Discover, and JCB. A third-party PCI Qualified Security Assessor (QSA) assesses company systems and processes on an annual basis and issues an Attestation of Compliance (AOC). Additional information can be found at https://www.pcisecuritystandards.org.
PCI compliance includes requirements for subjects ranging from IT security to operational processes. Every part of the chain - Salesforce, FinDock and your own organization - needs to comply with a subset of these requirements. What that means depends on the channel(s) used to handle cardholder details. For instance, a different self-assessment questionnaire (SAQ) is used for online payments and for MOTO payments. An overview of the SAQs is provided by the PCI Council.
Salesforce PCI compliance
Is Salesforce PCI compliant?
Yes, and by using Salesforce a lot of the relevant PCI requirements are covered. A full list of PCI documentation provided by Salesforce, including Attestations of Compliance per service and Network Vulnerability Assessments can be found here: https://compliance.salesforce.com/en/pci-dss (requires Salesforce login to download).
FinDock PCI compliance
Is Findock PCI compliant?
Yes, FinDock is assessed by a PCI DSS QSA as a Level-1 Service Provider against PCI DSS 3.2.1.
The SSC has defined two levels of service providers. The level of a service provider may be defined by the transaction volume or the role in the payment landscape.
If a Service Provider is performing an onsite assessment by a Qualified Security Assessor, it is deemed a Level-1 Service Provider.
The Attestation of Compliance can be requested using support@findock.com.
Does FinDock store, transmit or process cardholder data in Salesforce?
No, at no point in time does FinDock store, transmit or process cardholder data in any system, but the FinDock software can be used by customers to configure their own integration with a payment provider.
Using the provided integration partners, all cardholder data is tokenized client-side. The resulting payment tokens may be stored in Salesforce and used to perform payment transactions.
Does cardholder data pass through FinDock owned systems?
No, for those functionalities where cardholder data is handled, FinDock is fully Salesforce native and part of your Salesforce org. You can see FinDock as an app installed in your environment.
Does FinDock cover requirement X or Y?
FinDock maintains a PCI Responsibility Matrix with the PCI requirements covered by FinDock. This matrix also includes some guidance on how requirements are covered and includes guidance on requirements covered by Salesforce. If you are working on your PCI compliance, the PCI Responsibility Matrix can be provided upon request to FinDock support.
Your organization’s PCI compliance
Salesforce and FinDock can only cover the requirements that concern the parts of your process they control. Certain requirements need to be covered exclusively by your organization, while others have a shared responsibility. For instance, you need to think about how you secure credit card numbers that are sent to you on paper before entering them in your system and make sure the written forms are properly disposed afterwards.
The requirements that need to be covered by your organization can be found in the PCI Responsibility Matrix.
What level of compliance you need and SAQ is relevant depends on how you process card payments with FinDock. We strongly recommend working with a QSA to assess what you need.
Best practices and additional information
PCI glossary
| Abbreviation | Term |
|---|---|
| AoC | Attestation of Compliance |
| MOTO | Mail Order Telephone Order |
| Partner | An entity involved in the integrated credit card payment process. |
| PCI DSS | Payment Card Industry Data Security Standard |
| QSA | Qualified Security Assessor |
For more information, please see the PCI Security Standards site. Specifically, the Understanding SAQs for PCI DSS v3 Guide is very useful.
Please note: FinDock is PCI-DSS Level-1 compliant as a service provider. We are not a qualified security assessor (QSA). The above information comes without warranty. If you have questions about PCI Compliance, we recommend contacting a QSA.