Neon One partners with SecureTrust, a Sysnet Global Solutions company, to provide organizations with a free, best-in-class PCI Compliance program, to help our customers certify and maintain their PCI Compliance.
The new PCI Compliance page in Neon One Portal allows organizations to sign up for the program, and lets anyone in the organization to keep track of their compliance status.
What is PCI Compliance?
The Payment Card Industry (PCI) Data Security Standard (DSS) is a global set of rules and regulations created in 2004 by the four major card brands (Visa, Mastercard, Discover, and American Express) to provide a set of technical and operating standards for all organizations processing and accepting credit card transactions, in order to protect cardholder account data.
All organizations accepting credit cards must certify compliance with the PCI-DSS annually to ensure safe and secure environments for accepting card transactions.
Why is PCI Compliance important?
Having an international set of guidelines and standard practices for credit card processing ensures that all entities involved in the card payments ecosystem are playing by the same rules and keeping cardholder data safe and secure. As an organization processing or accepting credit card transactions, certifying compliance with this global standard is a necessary and important step toward keeping cardholder and constituent financial information safe.
What can I expect with this program?
Our partnership with SecureTrust gives you all the tools you need to understand and certify PCI Compliance in one place, across all of the technology services your organization uses, including a step-by-step self-assessment questionnaire (SAQ), vulnerability scanning tools, training materials, policy templates, and data breach insurance.
Note: While SecureTrust makes managing compliance easier, the self-assessment questionnaire process itself is quite technical - someone familiar with the technology you use and who is able to answer technical questions about your systems should be the primary enrollee.
Who should sign up?
All organizations are free to enroll in the PCI Compliance program if they choose. When you sign up, you will designate a PCI Contact at your organization to be added to SecureTrust's system and continue the process. We recommend an IT Administrator or equivalent be selected as the primary account user, but anyone at your organization can be enrolled as the main point of contact, or added as SecureTrust users later.
How to sign up
Navigate to the Neon One Portal at https://app.neonsso.com/, login, and select the PCI Compliance menu.
Select Enroll Now to open the enrollment form.
To enroll in the program, designate a PCI Compliance Contact at your organization by providing their name, email address, and phone number.
Note: The email address and phone number provided may be general organization contact details, but make sure your contact has access to them. SecureTrust will reach out to the email address provided to continue the setup process.
When the form is completed, select Enroll. Your PCI Compliance page in Neon One Portal will update accordingly, listing your PCI Contact's details, as well as displaying an Enrolled program status.
Compliance status will updated to Validated once your organization has completed the validation process in the SecureTrust portal.
Note: Your PCI Contact will not be able to access the SecureTrust portal until they have created a password.
Within 24 hours of enrolling, SecureTrust will send two emails to your PCI Contact:
- An email with a username for the SecureTrust portal
- An email with a link to create a password for the portal.
Note: It does take some time for the account to be created in SecureTrust's portal. Please wait at least 24 hours from the time you enroll for the account to be created and welcome emails to be received.
Example setup emails from SecureTrust:
Once your PCI Contact has created a password and logged in to the SecureTrust portal, enrollment and account setup is complete. You may now begin the compliance certification process with SecureTrust.
Certification guidance and PCI support, security tools, training materials, policy templates, data breach protection, and more, are all available to you and your organization from the SecureTrust portal as long as you are enrolled in the program.
What is the Neon One PCI Compliance Program?
The Neon One PCI Compliance Program is a free program in partnership with SecureTrust, a leading PCI compliance and cybersecurity vendor. It is offered free to all Neon One customers and provides PCI compliance certification assistance, security scans, and access to training and other resources to give our nonprofit customers the tools they need to keep their data secure.
Is my nonprofit required to be PCI Compliant?
While PCI compliance is not part of any law, it is an internationally-used set of regulations which comes with significant penalties and costs for organizations that don’t adhere to the requirements. Any organization accepting credit card transactions is required to be PCI compliant.
As a Neon One customer, you are encouraged, but not required to participate in our free compliance program. You may continue to use an outside vendor or self-certify.
Is Neon One PCI Compliant?
Yes. Neon One is PCI-DSS Level 1 compliant and re-certifies annually. Copies of our Attestation of Compliance (AOC) are available upon request.
If I use only Neon One products and do not accept payments elsewhere, do I still need to be PCI compliant?
Yes. All organizations accepting credit card payments are required to certify compliance with PCI standards, regardless of the tools they use. Software vendors who host payment pages, like Neon One, are also required to annually certify their compliance.
Using a software vendor that is certified PCI Compliant is an important part of the compliance process. Using Neon One’s technology in addition to certifying your organization’s own PCI Compliance is a great way to keep data protected end-to-end.
If I don’t accept credit card payments at all, do I need to be PCI Compliant?
No. Only organizations accepting credit card payments are required to certify compliance with PCI standards.
What does this program include?
When you sign up for Neon One’s PCI Compliance program, your organization receives access to a SecureTrust compliance account and their merchant portal. By creating a SecureTrust account, your organization receives the following:
- Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AOC) assistance
- Quarterly Approved Security Vendor (ASV) scans
- 24/7 phone, chat, and email support
- Training resources
- Policy templates
- $100,000 in data breach protection
How much does the PCI Compliance Program Cost?
Enrollment into the program is free for all Neon One customers.
Does using Neon Pay cover my nonprofit in the case of a data breach?
While Neon Pay provides encrypted, tokenized credit card processing, it does not protect your organization from all angles. Along with using a secure, encrypted payment processor, making sure your organization is handling sensitive data correctly, is trained in PCI best practices, and has the right technology policies in place, in accordance with industry standards, is the best defense against data breaches.
How does Neon One offer this program?
Neon One partners with SecureTrust, a leading cybersecurity and compliance firm, to bring this program to our customers. When you enroll in the Neon One PCI Compliance program, a SecureTrust account is created for your organization. You will then use the SecureTrust portal to manage and certify your compliance, as well as access training and other resources.
I've enrolled in the program but haven't received any emails from SecureTrust. What should I do?
Our connection to SecureTrust is batch-based, which means that enrollment information is provided to them in batches once per day. Once your account is created, SecureTrust will send username and password emails to the PCI Contact email address provided when you enrolled.
Please allow up to 24 hours to receive your username and password emails from SecureTrust. Make sure to check your Spam, Promotions, or Junk folder as well.
If after 24 hours your PCI Contact still has not received any email communication from SecureTrust, please reach out to our support team for further assistance. You can contact them at email@example.com.
I've enrolled in the program and have PCI compliance questions. Who should I contact?
Please reach out to the SecureTrust support team for all PCI compliance-related questions. Our support team can assist with program enrollment, but SecureTrust are the experts on compliance!
Can I add other members of my organization as SecureTrust users?
Yes. Your PCI Contact can create additional users in the SecureTrust portal, who will then receive access to the portal as well. Note that these users will not be synced to Neon One Portal.
Can I update my PCI Contact on file?
Yes. Your PCI Contact can be updated in the SecureTrust portal. This update will then be synced to Neon One Portal and reflected on the PCI Compliance page.
My PCI Contact is no longer with my organization. How do I access the SecureTrust portal?
If your designated PCI Contact is no longer with your organization, reach out to SecureTrust to gain access to the account and update the user account. You will need to answer security questions to verify your affiliation with the organization. Once verified, SecureTrust can add you as a user to the account.
How often does my organization need to certify compliance?
PCI Compliance is required to be certified each year. When you certify compliance, it is valid for one calendar year, after which time it expires. SecureTrust will notify your main PCI Contact of the upcoming expiration date and guide you through the process of re-certifying compliance. Luckily, all of your previous information is stored, and the re-certification process typically includes only noting changes to your organization's policies or payment processing environment from the last certification date.
My organization hasn’t certified PCI Compliance before. What does this process look like?
Certifying compliance with a SecureTrust account consists of three main steps.
- Complete your Business Profile information
- Set up quarterly Approved Security Vendor (ASV) scans
- Complete the Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AOC)
The SecureTrust support team is available 7 days a week to answer any questions you have before, during, or after the compliance certification process.
Do I need to enroll in this program if I am a Neon One customer?
No. While we recommend that you enroll to save time and money on the compliance process, you are not required to enroll in Neon One’s PCI Compliance program as a Neon One customer, though you are required to be PCI Compliant. You may continue to use an outside PCI Compliance security vendor or self-certify.
What is included in the data breach protection insurance?
SecureTrust's data breach protection policy protects merchants for the cost of an actual or suspected violation of a privacy regulation due to a security breach that results in the unauthorized release of protected personal information (PII), which is any private, non-public information of any kind in the merchants care, custody or control.
For more information on the policy and coverage, please reach out to the SecureTrust team once you've enrolled.
I need to provide domains to set up my quarterly ASV scans. Which ones do I use?
Please see our Neon One Domains article for more information on domains to provide in your ASV scans.
I'm enrolled in the program and no longer need it. How do I cancel?
If you would like to cancel your SecureTrust service through the Neon One PCI Compliance program, please reach out to your Neon One support team or account representative, and we will arrange the deactivation of your account with SecureTrust.
Where can I find more information about PCI Compliance?
Our PCI Compliance program through SecureTrust offers 24/7 support from PCI Compliance experts. If you’d like to learn more about PCI Compliance on your own, we recommend visiting the PCI Security Standards Council’s website and resource library here: https://www.pcisecuritystandards.org/resources-overview/