Updated 6.16.2026

If a client has a giving page that links externally, great. We are off the hook. 

If a client has an embedded giving page, we have to do more. 

#2 below is required if:  the client has a payment system that is hosted externally, but uses a pop-up and stays on the same domain (as Al noted in this case).

What You Must Do
1. Verify Your Provider: Ensure your giving platform (e.g., Stripe, PayPal, or Blackbaud) is a PCI DSS validated service provider.
2. Inventory Scripts: Under PCI 4.0, you must maintain a written list of every script running on the page where the "Give" button/popup lives and justify why each script is there.
3. Use HTTPS: Your entire website, especially the page launching the popup, must be served over HTTPS.
4. Complete Your SAQ: You are still required to fill out an annual Self-Assessment Questionnaire (SAQ) (typically SAQ A) to maintain official compliance status.

Thus the spreadsheet of scripts.
My understanding is that The Self-Assessment Questionnaire (SAQ) is ALWAYS the merchant's responsibility, or your responsibiliy in this case.

(actual sheet: https://docs.google.com/spreadsheets/d/1eWXef5m5jAGiM1y3dq0THwkYPsybOiMnkNWYpey-Rjw/edit?gid=1090969581#gid=1090969581 )

Solutio Software does not:

  • Accept payments
  • Process payments
  • Transmit cardholder data
  • Store cardholder data
  • Provide payment forms, shopping carts, or checkout pages

Therefore:

  • Solutio Software is NOT required to be PCI-DSS compliant
  • Solutio is not a payment service provider
  • PCI responsibility lies solely with the third-party payment processor

 

Here is a Vanco questionaire about DCI compliance February 20206 via StM-Man

PCI Compliance Questions-Vanco.pdf

-------------------------------------------------
Hello,

Solutio Software provides website hosting and content management services only. We do not accept, process, transmit, or store credit card or payment data.

In some cases, Solutio-hosted websites may embed third-party, externally hosted payment forms (such as via iframe or script) that are provided and fully controlled by the payment processor. Solutio Software does not develop, modify, or maintain these forms and has no ability to access, intercept, view, or store cardholder data entered into them.

All payment data is submitted directly from the end user to the third-party payment processor’s systems. Solutio Software does not participate in the payment transaction and does not handle cardholder data in any capacity.

As a result, Solutio Software is not within PCI-DSS scope and is not required to maintain PCI-DSS compliance. PCI-DSS obligations apply to the organization accepting payments and the third-party payment processor.

Please let us know if additional clarification is required.