Get more information about Knack's PCI compliance

[johnclary]

Opened a support ticket today:

1. Does Knack still use stripe.js v2? i received an email some time ago about e-commerce upgrades to Stripe Elements
2. Do y'all maintain any PCI compliance, such as an SAQ A-EP assessment? Are you able to share that with us?
3. I'm reviewing the SAQ A-EP assessment, which I believe is the correct survey for my org to complete when using Knack e-commerce, and there are a number of questions related to application infrastructure that we cannot answer without Knack's input. e.g., "Is there a formal process for approving and testing all network connections and changes to the firewall and router configurations?" Link to the SAQ A-EP: https://www.pcisecuritystandards.org/documents/PCI-DSS-v3_2_1-SAQ-A_EP.pdf?agreement=true&time=1599587299073 Thanks for your help!

[johnclary]

@moorerst FYI

[johnclary]

from knack:

Thanks for reaching out, and great questions. We are currently using stripe.js v2, yes. Knack itself is not PCI compliant, though that's on our roadmap! In terms of ecommerce, customers using Stripe can attest to PCI compliance by filling out this form and uploading it to your Stripe compliance dashboard. I'm going to check with our team and see if we can get a set of responses for that assessment! For the time being, feel free to take a look at our Security Information page.

and my response:

Thanks, Alex. There are questions in the SAQ A-EP which we cannot answer, nor are they answered by your security page. For example, "Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands?" Although AWS covers a lot of bases, this and other questions are design/implementation questions to be addressed at the discretion of your systems engineers. I'm curious how other Knack users complete the compliance form without being able to attest to these.

[johnclary]

Matt and Tarek,

I'm still waiting to hear back from Stripe about receiving official documentation about their PCI compliance. They are listed as PCI DSS compliant on Visa's provider listing.

Regarding Knack—they have confirmed that they do not maintain their own PCI compliance, however they can attest to the applicable questions on the SAQ A-EP. What are you thoughts on this? Can we submit a joint SAQ A-EP with Knack?

Thanks for your help. John

[moorerst]

Tarek, Emily, and I discussed the next steps for this. Here is what we’re thinking:

1) Go ahead and have Knack come up with responses for an SAQ. We’re thinking they likely have some prepared answers. 2) We reviewed their “Payment View” screenshots on their website. However, we’d like to see a demo page prepared for ATD. We want to be able to see the source code. It looks like you at ATD can’t make changes to the Payment View, but we need confirmation of that. We also want to know how they lock the page down from misdirects.

Let me know if this doesn’t make sense.

[moorerst]

I need to follow up on this

[johnclary]

We're pursuing citybase for knack payements. And a vendor solution for RPP.