Introduction to Credit Card Processing for Product Sales* and Online Camp / Event Registration

*If your troop is planning on selling Girl Scout products via Credit Cards then you do NOT need to complete this form.  INSTEAD you should login to our training portal and complete the online training which will cover this material and provide you with the information you need to obtain your Square credit card reader for product sales, utilize the councils tax ID number and associate the reader to your troop bank account.  Please follow these links to connect to our online training portal at Training.GirlScoutsNorcal.org:

PCI & Accepting Credit Cards: https://training.girlscoutsnorcal.org/course/view.php?id=138

If your troop, service unit or group is offering or thinking about offering online camp or event registration, you must ensure protection of credit card data in accordance with industry standards which are known as PCI Compliance and submit this form. To help you and GSNorcal meet the requirements for PCI Compliance we have established the following guidelines for processing credit cards and for entering into contracts with online service providers. This information packet will explain what PCI (Payment Card Industry) compliance is, the troop, service unit or groups responsibilities and requirements, and the procedure to be followed.

Because your troop, service unit or group may want to process credit card data from members and the public for registration purposes, it is essential that you follow the PCI Standards for Data Security. Failure to comply with PCI Standards may put our members’ confidential information at risk, harm Girl Scouts’ reputation and subject troop, service unit, group and Girl Scouts of Northern California to very significant penalties.

In order to proceed, you must acknowledge and agree to the following:

1. Your troop, service unit or group will comply with the GSNorCal PCI Compliance Requirements described below concerning credit card processing and protection of credit card data.
2. Your troop, service unit or group will only use PCI compliant equipment and/or vendors for credit card processing.
   
3. Your troop, service unit or group will comply with the contract requirements for online registration vendors as described in the Contracts section below.
4. Your troop, service unit or group will designate at least one volunteer who is responsible for compliance with the GSNorCal PCI Compliance Requirements (“PCI Compliance Volunteer”).
5. The troop leader, camp or event director/registrar and/or PCI Compliance Volunteer will acknowledge that they reviewed the GSNorCal PCI Compliance Requirements by electronic signature in the form below.
6. The PCI Compliance Volunteer will:
   1. Participate in training provided by GSNorCal about the GSNorCal PCI Compliance Requirements.
   2. Ensure that all volunteers, camp and/or event staff working with your troop, service unit or group are aware of the GSNorCal PCI Compliance Requirements and have procedures and guidelines in place to ensure that these requirements are followed.
7. Your troop, service unit or group must ensure a customer support system is in place and communicates this system to their respective troop, service unit or group members and participants in order to get answers to commonly asked questions.

If you have any questions about credit card processing or online camp or event registration for your troop, service unit or groups, please email CreditCardProcessing@girlscoutsnorcal.org.

The Girl Scouts of Northern California requires all third party service providers who process credit card payments, on behalf of the Girl Scouts of Northern California, to be PCI compliant. Third party service providers must provide a current compliance report.

If you are using an online service provider not listed in the “Online Registration Service Providers” section in this form, simply ask your online service provider to provide you with a copy of their current “PCI Compliance Certification.” A certified provider will not hesitate to provide their certification to anyone who inquires.

If a third party provider is unable to provide the required compliance report they are not permitted to process credit card payments on behalf of the Girl Scouts of Northern California.

What is Credit Card Data?

Credit card data is considered sensitive, private data and specific credit card data, as defined by the Payment Card Industry Data Security Standards (PCI DSS), may or may not be collected or stored.

The following table illustrates commonly used elements of cardholder and sensitive authentication data; whether storage of each data element is permitted or prohibited; and if each data element must be protected. This table is not exhaustive, but is presented to illustrate the different types of requirements that apply to each data element.

PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. 

Definitions of Data Elements:

• Primary Account Number is the sixteen digit card number.
• Cardholder Name is the name of the person on the card.
• Service Code is the three or four digit number on the magnetic-stripe that specifies acceptance requirements and limitation for magnetic-stripe read transactions.
• Expiration Date is the expiration data shown on the card.
• Full Magnetic Stripe is the data stored in the magnetic strip on the card.
• CVC2/CVV2/CID is the three digit code on the back of the card.
• PIN / PIN Block is the personal identification number assigned to the card.

Storing and Handling Credit Card Data

Under the PCI DSS if ANY electronic files contain data elements that require protection they must be encrypted with 128 bit encryption and must have a password associated with the encrypted file. In addition the network used to store the electronic files must be separated from the “primary” network and additional security measures apply in order to meet the PCI DSS compliance requirements.

Due to these strict compliance requirements and the risk associated with not properly securing credit card data, the Girl Scouts of Northern California chooses NOT to store or transmit any Cardholder data or Sensitive Authentication data electronically. The only exception is procesing transaction through our current Point of Sale systems, the Square service and the approved third party vendors listed below.

Furthermore, credit card data may not be emailed under any circumstances. Scanned images, photocopies, word processing or spreadsheet documents may NEVER be used, in any form, to SAVE or transmit Cardholder or Sensitive Authentication data. Faxing forms that contain credit card data should not be done. Fax machines store the fax image electronically.

All credit card data, as previously defined, must be handled in a secure manner. If credit card data is received by fax, hard copy or exists on other hard copy paper format (such as the Girl Scouts membership forms), the paper must be secured under lock while the credit card data is waiting to be processed. Once the credit card data has been used for payment purposes, the credit card data must be destroyed by use of a cross-cut shredder.

As a best practice, paper forms should not be used to accept credit card data for processing. All credit card transactions should be completed by the participant and the GSNorCal Point of Sale systems, the Square provided devices, or through PCI compliant third party online service providers.

Where volunteers are involved in the collection of credit card data on paper forms for processing by the Girl Scouts of Northern California or an Online Service Provider, the volunteers must:

• Never email, save or otherwise store or record the credit card data electronically under any circumstances.
• Ensure that they keep close, personal control of paper forms while information is collected and prior to transferring the forms to the Girl Scouts of Northern California or entering it into the Online Service Provider.
• Strive to ensure that they relay any paper forms with credit card data to the Girl Scouts of Northern California or their Online Service Provider as soon as possible after collecting the information.
• Ensure that any forms that are in their possession that contain credit card data, must be destroyed, preferably by cross cut shredders, and are never kept or stored for any reason after their intended use.
• Ensure that under NO CIRCUMSTANCES, anyone photo copies, scans, emails, faxes or otherwise electronically stores or transmits any credit card data, except through the GSNorCal Point of Sale systems, the Square devices or PCI compliant third party online service providers.

The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for credit card account data protection.

The PCI Security Standards Council’s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.

The PCI Data Security Standard (PCI DSS) is a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, to help facilitate the broad adoption of consistent data security measures on a global basis.

The PCI Security Standards Council web site is a great source for information: https://www.pcisecuritystandards.org/index.shtml

For PCI frequently asked questions: http://www.pcicomplianceguide.org/pcifaqs.php

Wells Fargo’s site for Merchant Services — Payment Card Industry (PCI) Data Security Standards (DSS) FAQs: https://www.wellsfargo.com/biz/help/faqs/merchant

Send an email with a PDF version of your compliance report, or link to the QSA’s site that contains the compliance report to: grouponlineregistration@girlscoutsnorcal.org

If you have specific questions about providing a compliance report, or other PCI compliance questions, please email grouponlineregistration@girlscoutsnorcal.org and we will respond to your inquiry within two business days.

Below is a list of web-based providers who have been known to be PCI compliant. It is your responsibility to obtain current certification of compliance for the providers you choose to support your online registration needs.

 

Eventbrite: eventbrite.com

Ultra Camp: ultracamp.com

Doubleknot: doubleknot.com

Camp Registrar: campregistrar.com

Active Network: activecamps.com

 

Note that each service provider has its own pricing structure. It is your responsibility to evaluate and select the service provider that offers the best combination of features and price for your camp or event.

One option for covering the cost of the service is to pass it on, as a convenience fee to registrants who choose to use the online registration.

If you have any questions about credit card processing or online camp or event registration for your troop, service unit or groups, please email CreditCardProcessing@girlscoutsnorcal.org.