The important parts for our clients to know about:
- The service that actually touch the credit card information are the services that need to be compliant. When we embed your donation forms from EveryAction, then EveryAction is that service and they're the ones that need to be PCI compliant.
- Similar to PayPal buttons, the credit card info is actually submitted separately to PayPal (through the button) or EveryAction (through the embed). Meaning that those services are the ones that receive/touch the credit card data, and need to be complaint -- not the site using it.
- PCI Compliance is VERY difficult to achieve, which is why it is best left to Big Payment Processors with Security Teams and Lawyers. All services we use do not actually collect, process, or store any credit card information directly.
If you are receiving offers of tools to test your payment collection forms to make sure they are PCI Compliant, beware of upsells.
Ideally, you'll be able to work directly with your payment processor or CRM vendor to ensure PCI Compliance, and many typically CRMs charge a PCI Compliance fee (because it's kind of like credit card insurance).