Like any merchant that handles credit card payments, Planning Center must comply with Payment Card Industry Data Security Standards (PCI DSS, or PCI for short). Recently, we completed the process of increasing our level of compliance. Planning Center is now a Level One compliant merchant. Our Attestation of Compliance documentation is available upon request at firstname.lastname@example.org.
As a customer, this new compliance level won't impact your cost or day-to-day operations as you use our products. It just means that the security measures and data handling protocols we already had in place have now been validated by a 3rd party with more scrutiny. Most of these measures and protocols had already been validated through other assessments including Privacy Shield, GDPR, and CCPA.
In practice, we go well beyond what these frameworks require. Three examples:
- Instead of scheduled and narrowly scoped penetration testing required by these security frameworks, we conduct ongoing penetration testing through HackerOne's open bounty program.*
- Instead of simply having a password policy for local computers, we also use local 2-factor-auth (hardware keys, fingerprint scanners, etc) for any employee accessing customer data in the course of providing customer support.
- Although the General Data Protection Regulation (GDPR) applies only to customers within the EU, we hold to this standard for all customers even though 95% of them are in the US.
* If you're a developer wanting to get involved in our HackerOne bounty program, send an email to email@example.com to get an invite.