PCI Compliant Formstack Edition

Formstack offers a PCI Edition of the Formstack product on Platinum plans or higher which provides users with an SAQ-A, an important document for PCI compliancy. It is important to note that Formstack itself is not "PCI Compliant."  We provide the SAQ-A documentation and it is up to the Account holder to determine whether or not it meets their own PCI Compliant standards.

There are two factors that make the PCI Edition different from the standard Formstack product:
  1. All payment integrations except for Stripe are removed from your Account.
  2. Credit card data cannot be sent into an encrypted database.

Obtaining the PCI Edition of Formstack

The PCI Edition of Formstack can be enabled on your paid Formstack Account by first requesting access to the PCI Edition through our Support or Sales Teams and by completing this sign-off form.  Once submitted, your Account will be updated with the necessary PCI features and you will receive a copy of the SAQ-A document for your records. 

Using Payment Processors without an SAQ

You may be wondering if you use payment processors other than Stripe or do not opt-in to PCI Edition of Formstack, is your data safe and are those integrations not PCI compliant?

If your Forms utilize an integration that includes a redirect, such as PayPal Standard, you do not need to worry about PCI compliancy on the Form as no payment data needs to be collected or saved in Formstack. Because of the redirect, the submitter will enter their payment data directly on the PayPal site where the card information is handled and processed under the PayPal PCI DSS Compliance standards.  

The key difference is credit card data is not collected on the Form itself; any time the data is collected directly on the Form, PCI Compliancy will need to be reviewed.