Fundraising/Annual PCI form

From Wikitech
Jump to navigation Jump to search

Wikimedia is at the SAQ-A level of PCI compliance, meaning we collect all card donations via third party processors and do not let any full card numbers touch our servers. Many of the PCI rules are simply good security practices, such as not using shared accounts.

Each year we have to fill out a form and submit it to Worldline (formerly Ingenico) as well as keep it on file in case any of our payment processing partners request it. TODO: Which other processors require us to upload it every year?

The form is available in various formats via the Document Library section of pcisecuritystandards.org. In the UI as of February 2022, one selects SAQs in the 'Filter by' dropdown, and the third row in the results should be the SAQ-A. It can be downloaded in PDF or DOC format. The PDF is not a fillable form, so it's generally easier to use the DOC. For inspiration answering the questions one can look to the previous year's SAQ-A, stored on the fileserver at fundraising/Tech/PCI. It's best to confirm datacenter locations and security policies with fr-tech-ops (currently Dallas Wisehaupt and Jeff Green), and to confirm the list of payment processing partners with the Payments team (currently Evelyn Martin and Pats Pena).

Once the document is complete, send it along to the Advancement C-Level (currently Lisa Gruwell) and the Administrative Specialist who works with her (currently Leticia Navarro) for a signature. Upload the signed document to the aforementioned folder on the fileserver and send it to Worldline. As of 2022, Worldline has established their own site for merchants to submit PCI forms at globalcollect.worldline-pciportal.com. Back when the part of Worldline we work with was known as GlobalCollect and then Ingenico, they had us upload it to a service called SecureTrust maintained by Trustwave, so we still may receive emails from SecureTrust.