PCI Compliant Formstack Edition

Formstack offers a PCI Edition of the Formstack product on Platinum plans or higher which provides users with an SAQ-A, an important document for PCI compliance. It is important to note that Formstack itself is not "PCI Compliant." We provide the SAQ-A documentation, and it is up to the Account holder to determine whether or not it meets their own PCI Compliance standards.

There are two factors that make the PCI Edition different from the standard Formstack product:
  1. All payment integrations except for Stripe are removed from your Account.
  2. Credit card data cannot be sent into an encrypted database.

Obtaining the PCI Edition of Formstack

The PCI Edition of Formstack can be enabled on your paid Formstack Account by first requesting access to the PCI Edition through our Support or Sales Teams and by completing this sign-off form. Once submitted, your account will be updated with the necessary PCI features and you will receive a copy of the SAQ-A document for your records. 

Using Payment Processors without an SAQ

If you use a processor other than Stripe or do not opt-in to PCI Edition of Formstack, you may be wondering if your data is safe and if those other payment integrations are not PCI compliant?

If your forms utilize an integration that includes a redirect, such as PayPal Standard, you do not need to worry about PCI compliance on the Form as no payment data needs to be collected or saved in Formstack. Because of the redirect, the submitter will enter his payment data directly on the PayPal site where the card information is handled and processed under the PayPal PCI DSS Compliance standards.  

The key difference is credit card data is not collected on the Form itself; any time the data is collected directly on the Form, PCI Compliance will need to be reviewed.