I was asked a question today that I couldn’t answer so I thought I would throw things to the brain trust. I spent some time on the Rock website and couldn’t find the answer.
When a church hosts their own server, what are the requirements for PCI Compliance? I figured that if they were hosting it externally, the provider handles that but what about the case for hosted servers, etc? Is the responsibility for PCI Compliance on the church or some other entity?
When self-hosting the compliance is on the church. How difficult that compliance is depends on what mechanism in Rock you’re using to take donations. Example: The NMI gateway has far less stringent compliance than, say, the Payflow Pro gateway, because NMI does a special redirect trick where the CC info never TOUCHES the Rock web server, but with Payflow Pro it does (even though it is not saved, it is processed through the web server, mandating a higher level of compliance). Also, external giving options in Rock like PushPay, etc are responsible for PCI a their servers as again the credit data never touches Rock and is processed somewhere else.
Unfortunately when you use one of those external services, you will still likely need a Rock gateway to handle credit processing for event registrations, as these external services handle contributions-only, not events. So if you’re starting out from step one, NMI gateway is by far your best gateway in Rock from a PCI compliance perspective.