Preparing for a PCI Compliant Formstack


Formstack is becoming PCI compliant! This will allow you to collect and process payments in an even more secure way. In order to become PCI compliant, we will now limit the ability to store full credit card numbers in the near future.

Important Dates and Changes:

November 2018

 
  • A new credit card field will be available to use on all accounts. This field will only be usable on V3 forms with an enabled payment integration or PCI Compliant webhook (Available December 2018). Note: The current credit card field will still be available on existing accounts until March 2019. ​​
  • When using the new credit card field:​
    • Card Holder Data will be sanitized throughout the app. Only the last 4 digits of the credit card number will be displayed in submissions, in emails (even with PGP encryption enabled), and custom submit messages.​
    • It will no longer be possible to save full credit card data in submissions - even with submission encryption enabled.


December 2018

  • It will no longer be possible to save full credit card data in submissions with the ‘Save in Database’ checkbox checked in credit card processing integration settings.

  • PCI Compliant WebHooks will be made available by request via our Support Team.

  • The old credit card field will no longer be available on new forms.


March 2019


The old credit card field will be retired from all accounts

  • ​​For those who are unable to migrate by the March 31st deadline, we will automatically update the old credit card fields in your form(s) to the new one.
  • Since the design of the new credit card field is different from the old one, please check your forms to address any design concerns after the switch.
 

Here are some steps to prepare your forms for these upcoming changes:

  • Export then delete any old and/or unneeded form submissions that contain credit card data.

  • Stop saving full credit card data when using a credit card processing integration (Uncheck the ‘Save to Database’ box in the integration settings) if you don’t need to collect this data.

  • If you’re collecting full credit card data without a payment integration for pre-authorization purposes consider implementing the Authorize.Net integration in Authorization mode.

  • Start researching our available credit card processing payment integrations if you aren’t currently using one (i.e. Stripe, Authorize.net, Paypal Pro, Payflow Pro, Chargify, FirstData).

  • Begin making a prioritized list of your payment forms and formulate a plan to convert the credit card field and make any necessary changes. NOTE: An account auditing tool will be available in-app to assist with this process.

  • Convert any V2 forms with credit card fields to V3 forms. More information here.

 

To assist you further, we’ve listed each possible use case and the steps you may need to take when converting your forms.

Note: Some of the features required to fully convert your forms may not be available. Please refer to the "Important Dates and Changes" section above for more information.

 

V3 Form with Old Credit Card Field and a Payment Integration - Not Saving Full CC Data

  1. Step 1: Export Your Submissions​
  2. Step 2: Remove the Old Credit Card Fields (this will delete credit card data from your submissions)​
  3. Step 3: Add the New Credit Card Field (available Nov ‘18) and adjust field logic if necessary​
  4. Step 4: Optional: Adjust your custom message fields
 

V3 Form with Old Credit Card Field and a Payment Integration - Saving Full CC Data

  1. Step 1: Export Your Submissions​
  2. Step 2: Remove the Old Credit Card Fields (this will delete credit card data from your submissions)​
  3. Step 3: Add the New Credit Card Field (available Nov ‘18) and adjust field logic if necessary​
  4. Step 4: Optional: Adjust your custom message fields
 

V3 Form with Old Credit Card Field and WITHOUT a Payment Integration - Saving Full CC Data

  1. Step 1: Export Your Submissions​
  2. Step 2: Remove the Old Credit Card Fields (this will delete credit card data from your submissions)​
  3. Step 3: Add the New Credit Card Field (available Nov ‘18) and adjust field logic if necessary​
  4. Step 4: Add a Payment Integration or PCI Webhook​
  5. Step 5: Optional: Adjust your custom message fields
 

V2 Form with Old Credit Card Field and a Payment Integration - Not Saving Full CC Data

  1. Step 1: Export Your Submissions​
  2. Step 2: Convert the Form to V3​
  3. Step 3: Remove the Old Credit Card Fields (this will delete credit card data from your submissions)​
  4. Step 4: Add the New Credit Card Field (available Nov ‘18) and adjust field logic if necessary​
  5. Step 5: Optional: Adjust your custom message fields

 

V2 Form with Old Credit Card Field and a Payment Integration - Saving Full CC Data

  1. Step 1: Export Your Submissions​
  2. Step 2: Convert the Form to V3​
  3. Step 3: Remove the Old Credit Card Fields (this will delete credit card data from your submissions)​
  4. Step 4: Add the New Credit Card Field (available Nov ‘18) and adjust field logic if necessary​
  5. Step 5: Optional: Adjust your custom message fields
 

V2 Form with Old Credit Card Field and WITHOUT a Payment Integration - Saving Full CC Data

  1. Step 1: Export Your Submissions​
  2. Step 2: Convert the Form to V3​
  3. Step 3: Remove the Old Credit Card Fields (this will delete credit card data from your submissions)​
  4. Step 4: Add the New Credit Card Field (available Nov ‘18) and adjust field logic if necessary​
  5. Step 5: Add a Payment Integration or PCI Webhook​
  6. Step 6: Optional: Adjust your custom message fields

NOTE: If you're using the credit card field without a payment integration, you will still be able to view the full credit card information up to 90-days. After 90-days, all credit card information will be purged from your submissions.​