EleoPay: PCI Walkthrough Guide

Purpose

This document provides a guide for EleoPay clients working on their PCI DSS Validation with a focus on PCI Toolkit account creation and business profile.

PCI Toolkit Link HERE

Have questions on the PCI process? Email support@pcitoolkit.com

Logging in for the First Time

Clients will receive an automated email from do_not_reply@conformancetech.com to the email that was used to create the account with login instructions to access the PCI toolkit. Initial access will require you to create a new password with the email being the username. If you have not logged in within the past 90 days, you will be prompted to reset your password to regain access.

Once logged in, you will see your PCI Toolkit Dashboard page with information on next steps and a link to an informational video.

WHAT IS THE BUSINESS PROFILE?

You will need to complete your business profile by answering questions about how you accept payments. The responses on this pre-assessment will determine the SAQ (Self-Assessment Questionnaire) for your organization and will usually take between 5-10 minutes to complete.

THE BUSINESS PROFILE SECTION

1. To get started click on your organization name under “Business Name”.

2. Scroll to the bottom of the page. Make the appropriate selections. For Business type, choose “Other” and type Charitable and Social Service Organization. Select E-Commerce / Online for the remaining two. Click submit.

3. Return to your Dashboard. Select Next under “Step 1 Information.”

4. You most likely accept donations online. Select I have a website that I sell goods or services and/or accept payments on.

5. You most likely use a website host such as Wordpress, Squarespace, Wix, etc. which are generally PCI compliant. Select the second response for the question, “how is your website hosted and managed?”  

6. Using Eleo’s donation forms redirects the donor to Eleo’s PCI Compliant payment page, allowing the donor to submit the donation securely through the EleoOnline platform. Select the second response for the question “How is credit card data entered by your customers?”

7. Select No for the question, “Do you store credit card data electronically?” This question is asking whether you store full card data on your system. EleoPay handles all sensitive card information and will encrypt the card data, so that the full card details are not accessible.

8. Select No for the question, “Do you process Credit Card transactions on behalf of other merchants (businesses)?”. Under no circumstances are users permitted to use the EleoPay payment pages to collect payment for other businesses.

9. Do you use payment applications such as Point of Sale software or website software to process Credit Card transactions? Examples are Google Pay, Venmo, Cash App, Zelle or other E-Commerce solutions. If you will be using EleoPay, you will select “no” here.

10. Select No for the question, “Does your company share cardholder data with any third-party service providers?” This would be a provider other than your payment processor (EleoPay) that would receive your donor’s full card data.

11. Do you have different departments that are separated along your network infrastructure? If you haven’t had an IT team structure your network infrastructure to accommodate a specific payments environment, or there is only 1 network, then the network is NOT segmented (which is the most common scenario).

12. Your results should state that you have been assigned SAQ A. Select Submit.

Completing Self-Assessment Questionnaire (SAQ)

Once Step 1 is completed, you will be taken to your dashboard where you can complete your self-assessment questionnaire (SAQ) as well as any other tasks assigned to you based on your answers from the profile. Please note that most non-profits should fall in the SAQ – A type. If you did not get this result, or made a mistake, you can re-initiate the profile process.

More information regarding SAQ types can be found on this PCI Security Standards Council document: Self-Assessment Questionnaire Instructions and Guidelines. Click here for a list of the SAQ types and differences.

1. Click on Next to begin your Questionnaire.

2. This question addresses whether default passwords on your Eleo account have been updated and whether unused default accounts are removed or disabled. Ensuring these steps are taken helps mitigate security risks associated with leaving Eleo accounts active with easily guessable passwords. You should select Yes.

3. Eleo does not store card holder data. Select Yes.

4. Similar to the previous question, Eleo does not store card holder data. Select Yes.

5. This question is asking if you have a documented process in place for identifying and handling vulnerabilities. Since this process is managed by Eleo, select Yes.

6. Similar to the previous one, this question addresses taking the necessary steps to fix vulnerabilities, which is an Eleo managed process. Select Yes.

7. This question is asking whether there is a well-organized, secure process for managing and reviewing the scripts that run on payment pages. As Eleo hosts this page, select Yes.

8. With Eleo, every user has their own log-in credentials, and you do not share logins with colleagues. Additionally, neither you nor Eleo retain any cardholder data. Select Yes.

9. Each Eleo user has their own log-in credentials. You are also acknowledging that you do not share Eleo system credentials within the organization. Select Yes.

10. Eleo allows you to deactivate or delete users who are no longer a part of your organization. This question is asking if your organization ensures that terminated users immediately lose all access to systems, data, and physical resources. Select Yes.

11. Your Eleo account is password protected. Select Yes.

12. When you receive your welcome email for Eleo, it prompts you to create a new password. Select Yes.

13. Eleo requires passwords to be 8-20 characters, and must include at least 1 letter, 1 number and 1 special character. Select Yes.

14. Eleo does not restrict you from using a previously used password. Select No.

15. Eleo does not require you to change your password every 90 days. Select No.

16. Neither your organization nor Eleo retain any cardholder data. Select Yes.

17. Neither your organization nor Eleo retain any cardholder data. Select Yes.

18. Neither your organization nor Eleo retain any cardholder data. Select Yes.

19. Neither your organization nor Eleo retain any cardholder data. Select Yes.

20. Neither your organization nor Eleo retain any cardholder data. Select Yes.

21. Neither your organization nor Eleo retain any cardholder data. Select Yes.

22. The PCI Security Standards Council now requires all parties to perform quarterly scans. If you have never done this previously, you will be doing so moving forward. Select Yes.

23. This question lists measures that help maintain security and ensure that any significant changes to your technical environment do not introduce new vulnerabilities or weaken your overall security posture. Since you will be scheduling scans, and correcting any vulnerabilities that are detected, select Yes.

24. If you are using the Eleo donation page web form, then you may check “yes” as Eleo is the one responsible for these security measures. If you are using embedded webforms on your own hosted donation page (meaning you do not redirect to Eleo for the donation collection page), do you have a change and tamper-detection mechanism on your website that:

• Alerts personnel to unauthorized modifications (including indicators of compromise) to HTTP headers?
• Evaluates the received HTTP header and payment page?
• Performs these functions at least once every seven days or as defined by your targeted risk analysis?

Note: For many sites this can be addressed with implementing a Content Security Policy (CSP) on your website

25. As it pertains to payments, your relevant third-party service providers are Eleo and your web hosting provider. Select Yes.

26. Security of the cardholder data is protected in both Eleo and Stax, the partner behind EleoPay. Our agreement with you complies with the requirements listed in this item; Select Yes.

27. This question is asking if your organization has a structured, well-defined process for engaging third-party service providers (TPSPs) with a strong focus on conducting due diligence before any agreements are made. If you feel that you and your organization properly conduct due diligence when selecting your third-party service providers, select Yes.

28. Both Eleo and our payments partner, Stax, maintain a PCI DSS compliant status at all times. Your organization may request our Attestation of Compliance at any time to validate our compliance status. Select Yes.

29. This question is asking whether your organization maintains clear and up-to-date information about the division of responsibilities for PCI compliance between your organization and your third-party service providers (TPSPs). This is to ensure each party is doing their respective roles in maintaining PCI compliance. Select Yes.

30. Select Yes.

31. Click Submit.

Completing Your Scan (Required Quarterly)

After finishing your SAQ, PCI Toolkit will require a scan to be completed for Step 3 of the PCI Compliance process. Because you use Eleo Webforms, follow the steps below to utilize Eleo’s scan.

1. Select Next under the column “Step 3 Scanning”.

2. You will arrive at “Submit IP/Domain Information” screen. Choose the second option, “Choose your own scanning vendor.” Select Clone Systems, Inc. from the drop-down menu of scanning vendors, and then input 2/7 for the date. Lastly, click on Submit.