PCI compliance is essential for any organization that processes credit card transactions to ensure the security of cardholder data.
One Church Software is a PCI-compliant service provider, adhering to the highest security standards in the payment card industry as required by the PCI Security Standards Council. This compliance is crucial for protecting personal and financial information and preventing data breaches.
For organizations using One Church Software for payment processing, the PCI compliance process involves completing a Self-Assessment Questionnaire (SAQ A).
This questionnaire is designed to confirm that you are not storing sensitive cardholder data and that all payment processing is outsourced to a PCI-compliant provider like One Church Software.
Crucially, churches should never collect credit card information from donors directly, including manually on paper. All credit card donations should be processed through the secure online system within One Church Software. This ensures the highest level of security for both the church and its donors.
The SAQ A includes a series of yes/no questions. These questions serve as a valuable learning tool, guiding the church on best practices for secure payment processing. By carefully answering each question, the church can better understand its responsibilities and ensure compliance with PCI standards.
It’s important to note that if you are using One Church Software exclusively for payment processing and follow secure payment guidelines (i.e., no manual credit card collection), the PCI compliance process should be straightforward.
However, under PCI DSS v4.0 Requirement 11.3.2, all merchants—even those completing SAQ A—are now required to perform quarterly external vulnerability scans using an Approved Scanning Vendor (ASV). This applies even if payments are collected through a redirect or iFrame. Scans must be performed on the systems that host your website and any elements that display or interface with the payment page.
ASV scanning is no longer optional for SAQ A compliance under v4.0. This change ensures that even outsourced or embedded payment flows remain secure from external threats.
For more information on PCI compliance and to ensure your organization is following the correct procedures, you can visit the What’s New with Self-Assessment Questionnaires article or this resource from VikingCloud.