Most companies accept credit cards for payment, but that’s not what this question is asking. If your client has a payment processor, they built it themselves, and you should answer yes to this question. Otherwise, they likely aren’t collecting Personally Identifiable Information (PII) about people’s credit cards.

Another way to look at it is if the client is actually storing the credit card numbers and other information, or if they just let people pay through a third-party tool.

This is because tools like Paypal, Square, Squarespace, and Shopify all handle credit card payments for businesses, so the business is not actually privy to or stores its clients' credit card information. If this is the case, then you should answer no to this question.

Questions to ask:

• Do you have a payment processor you built? If so, are you PCI-compliant? How do you protect this data?

• Do you see the credit card numbers people use to pay?