REQU-06

Is the solution designed to process, store, or transmit credit card information?

Explanation

This question is asking whether your software solution or service handles credit card information in any way - whether processing payments, storing card details, or transmitting this data to other systems. This falls under Payment Card Industry Data Security Standard (PCI DSS) compliance requirements. Why it's being asked: 1. Credit card data is highly sensitive and valuable to attackers 2. Organizations handling card data must comply with PCI DSS requirements 3. The assessment needs to determine if additional PCI-specific security controls need evaluation 4. Breaches involving payment card data can result in significant financial penalties and reputational damage The question specifically mentions both direct handling (your system processes cards directly) and indirect handling (you use a third-party payment processor but still have some interaction with card data). How to best answer: - Be completely honest about any card data your system touches - Consider the entire flow of payment information in your application - If you use a third-party processor but card data passes through your systems (even momentarily), answer 'Yes' - If you use a fully outsourced solution where card data never touches your servers (like redirecting to PayPal), explain this in your answer - If you store any card data (even partially, like last 4 digits), mention this specifically

Guidance

Answer yes if your solution handles PCI (credit card) information, either directly or via a third party.

Example Responses

Example Response 1

Yes Our e-commerce platform processes and transmits credit card information We use a PCI-compliant payment gateway (Stripe) for the actual payment processing, but customers enter their credit card details on our website forms before the data is securely transmitted to Stripe We do not store complete credit card numbers on our servers, but we do store the last four digits and card type for receipt and customer service purposes Our systems undergo annual PCI DSS compliance assessments and we maintain SAQ D compliance.

Example Response 2

No Our solution does not process, store, or transmit credit card information For payment functionality, we implement a complete redirect to our payment processor (PayPal), where all credit card information is entered directly on their systems At no point does credit card data pass through our servers or applications We receive only transaction confirmation tokens from PayPal after successful payments, which contain no cardholder data.

Example Response 3

No, but with qualifications While our primary SaaS application does not process credit card data, we do offer an optional payment module that customers can enable When enabled, this module integrates with Authorize.net using their hosted payment page solution We recognize this doesn't fully meet the requirement since we're still part of the payment flow, even though card data doesn't directly touch our servers We're currently working toward PCI compliance and expect to complete SAQ A-EP certification within the next quarter.

Context

Tab
Privacy
Category
Required Questions

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron