When donors give through your website, they trust your organization with their private financial data. Maintaining PCI Compliance is a critical part of your ministry’s stewardship, ensuring that every gift remains secure and that your church is protected from liability.
This guide outlines the mandatory PCI requirements for any organization utilizing the Rock transaction entry block.
Step 1: Determine Your Compliance Level
Your specific requirements are based on how you process payments. Please identify which path applies to your environment:
Path A: Online Only (SAQ A)
Path A applies to your organization if you strictly use the Rock block on your website. No staff or volunteers manually enter card numbers into a computer or terminal for phone or in-person gifts.
Path B: Online + Manual Entry (SAQ D)
Path B applies if your organization accepts "MOTO" payments (Mail Order/Telephone Order), where a staff member manually types card information into a Rock entry block.
Step 2: Annual Requirement (The SAQ)
Every 12 months, you must complete a Self-Assessment Questionnaire (SAQ) to certify your security practices.
Frequency: Every 12 months.
The Document: You are only required to submit the Attestation of Compliance (AOC)—this is the final "signature page" of your questionnaire.
Submission: Please email your signed AOC to merchantops@subsplash.com.
Step 3: Quarterly Requirement (Security Scans)
Because the Rock block is hosted on your organization's website, the PCI Council requires a "digital health check" every three months. This is known as an ASV Scan.
What it is: An automated external scan by an Approved Scanning Vendor (ASV) that identifies potential vulnerabilities on your website.
Frequency: Once every 90 days.
Record Keeping: You do not need to submit these reports to us, but you must retain them in your records for compliance auditing purposes.
Recommended Vendors: We recommend using Qualys, Sectigo (HackerGuardian), or Tenable.io for these scans.
Disclaimer: These vendor recommendations are provided for informational purposes only. Clients are responsible for performing their own due diligence to select the ASV and payment page security vendor that best fits their specific environment, budget, and compliance needs.
Step 4: Website Script Protection
To qualify for the simplified SAQ A, you must ensure that the "scripts" (background code) on your giving page are protected against unauthorized changes or "digital skimming."
Requirement: You must confirm that your payment page is not susceptible to script-based attacks.
How to Comply: This is typically achieved by using a monitoring tool (such as SecurityMetrics, Akamai, or Feroot) or by verifying that your implementation provides the necessary technical isolation.
Action Summary
Requirement | Frequency | Submit to Subsplash? |
Complete Annual Questionnaire (SAQ) | Annually | YES (The AOC page) |
Run Website Security Scan (ASV) | Quarterly | NO (Must be maintained by client) |
Verify Script Protection | Continuous | NO (Must be maintained by client) |
Questions? Our Merchant Operations team is here to support your organization’s security. Please reach out to merchantops@subsplash.com for assistance.