Is the solution designed to process, store, or transmit credit card information?
Explanation
At issue is whether the solution is designed to process, store, or transmit credit card information in any way. This falls under Payment Card Industry Data Security Standard (PCI DSS) compliance requirements.
Why it's being asked:
- Credit card data is highly sensitive and valuable to attackers
- Organizations handling card data must comply with PCI DSS requirements
- The assessment needs to determine if additional PCI-specific security controls need evaluation
- Breaches involving payment card data can result in significant financial penalties and reputational damage
The question specifically mentions both direct handling (your system processes cards directly) and indirect handling (you use a third-party payment processor but still have some interaction with card data).
How to best answer:
- Be completely honest about any card data your system touches
- Consider the entire flow of payment information in your application
- If you use a third-party processor but card data passes through your systems (even momentarily), answer 'Yes'
- If you use a fully outsourced solution where card data never touches your servers (like redirecting to PayPal), explain this in your answer
- If you store any card data (even partially, like last 4 digits), mention this specifically
Guidance
Answer yes if your solution handles PCI (credit card) information, either directly or via a third party.
Example Responses
Example Response 1
Yes Our e-commerce platform processes and transmits credit card information We use a PCI-compliant payment gateway (Stripe) for the actual payment processing, but customers enter their credit card details on our website forms before the data is securely transmitted to Stripe We do not store complete credit card numbers on our servers, but we do store the last four digits and card type for receipt and customer service purposes Our systems undergo annual PCI DSS compliance assessments and we maintain SAQ D compliance.
Example Response 2
No Our solution does not process, store, or transmit credit card information For payment functionality, we implement a complete redirect to our payment processor (PayPal), where all credit card information is entered directly on their systems At no point does credit card data pass through our servers or applications We receive only transaction confirmation tokens from PayPal after successful payments, which contain no cardholder data.
Example Response 3
No, but with qualifications While our primary SaaS application does not process credit card data, we do offer an optional payment module that customers can enable When enabled, this module integrates with Authorize.net using their hosted payment page solution We recognize this doesn't fully meet the requirement since we're still part of the payment flow, even though card data doesn't directly touch our servers We're currently working toward PCI compliance and expect to complete SAQ A-EP certification within the next quarter.
Context
- Tab
- Privacy
- Category
- Required Questions
Related questions
- Does your solution have AI features, or are there plans to implement AI features in the next 12 months?
- Does your solution process protected health information (PHI) or any data covered by the Health Insurance Portability and Accountability Act (HIPAA)?
- Does your solution have access to personal or institutional data?

