Print

PCI Compliance Steps for IP Merchants

PCI FAQ

CapitalQ and Elavon have chosen Trustwave's TrustKeeper to assist merchants with becoming PCI compliant.  If you are already compliant with another vendor you can register and upload your compliance information.

This page is for merchants who process with an Integrated POS system or terminal that communicates via the Internet to process credit card transactions.  If your system is not connected to the Internet or you use a standalone dial up terminal then click Dial UP Steps for registration.

TrustKeeper's website provides detailed help when you are logged in.  Here is a link to see their complete help document without having to log into their website.  See Complete Guide.

Step 1: Register
For additional assistance with registration watch this short presentation about the enrollment process.

 

    1. Start with your registration at the TrustKeeper website.  If you have a Windows based system and are on the same network as your POS/PMS it's best if you install the TrustKeeper Agent on the PC you use for your credit card transactions.  If you are uncomfortable loading the agent or are not on the same network you can choose to scan your public IP address.

    2. To get your Public IP address you must be on the network that processes credit cards.   When you login to TrustWave you will have the option to scan the IP address of your current computer.  Or you can add it manually.
    3.  Click Here to be taken to the TrustKeeper Registration(This will open a new window.)

    4. When you install the TrustKeeper Agent, you will be asked to register with your company name, Merchant ID (10 digit number no leading 0's) and e-mail address.  Once you've registered, you'll receive an e-mail telling you how to sign-in to the TrustKeeper Web site. If you don't have a PC to download the TrustKeeper Agent to, you can go directly to the TrustKeeper Web site and register for service. Be sure to have your Elavon Merchant ID ready when you register.

    5. If you choose to register online you will be taken to the elavonpci.trustkeeper.net website where you will complete your registration.  From there you will complete the steps below.

Step 2: Complete your Merchant Profile

The merchant profile is a short survey about your business.  Completing it helps TrustKeeper customize the process for you.  For a walk through tutorial click here.

Some things you will need to know; you are a Level 4 merchant and the Acquiring Bank is US Bank.

You will need the manufacturer/vendor name and model/version information (e.g. VeriFone Omni 3750, Micros RES 4.1) of your point of sale system. 

Step 3: Setup and Schedule your Vulnerability Scan

An external vulnerability scan is a security probe of your store, web site, or business office performed by TrustKeeper.  It is an automated, non-intrusive scan that assesses your network and web applications from the Internet.

 Click the "Edit Scan Profile" link to get started.  The first time you edit this, TrustKeeper will guide you through two steps:

  1. Configuring your scan parameters (i.e. telling TrustKeeper what to scan)
  2. Scheduling your scan (i.e. telling TrustKeeper when to do its scan)

The "External Vulnerability Scan" section below contains more details, but for small merchant businesses:

  • E-commerce merchants need to enter the domain names of all of their web sites (e.g. www.mywebsite.com).  Don't put in the website unless you control it and it takes card information.  If it is a franchise website don't put it in.
  • Merchants who have installed the TrustKeeper Agent at each POS can just select those agents to set up the scan.
  • Or, you can put in your Public IP address.  Click  Get-IP to acquire your Public IP address.

Once you have setup the scan you have completed the step, but you still need to wait for the scan to occur and review the results.  You can do this by accessing the "View Results" link in the left menu once the scan has completed (you will receive an e-mail notification prior to the scan starting and when it is complete).

Step 4: Complete the Compliance Questionnaire

The Self-Assessment Questionnaire (SAQ) is a set of questions that test whether your business is in compliance with the PCI DSS.   If you are storing credit card data electronically,  regardless of how you process or if it is encrypted, you end up with SAQ D and you must have a Scan completed on your network.

In each SAQ there are questions about your written Card Security Policy.   It has been our experience that most merchants do not have a written policy.  We have a guide to show what SAQ you most likely will answer need and if a Scan is required.    This guide also has links to sample security polices as well as the SAQ itself so you can review before going online.    We also have Navigating the SAQ to help explain the reasoning behind the questions.

There are 12 Requirements in the PCI Data Security Standard.   Each SAQ addresses some of the requirements.  SAQ D addresses all of them.  There are some questions that will not apply to you.  In those instances choose NA and state why it does not apply.  If you have to say No to a question then you have a policy or procedure that must be changed so that you can comply with the standard.


Requirements 1-12

The questions in sections 1-12 are derived from the PCI DSS.  Next to each question, there is a specific numeric reference to the PCI DSS requirement to which you can refer for more information.

 For each of the questions in sections 1-12, there are four possible answers:

  • Yes -- indicates that your business complies with the requirement
  • No -- indicates that your business does not fully comply with the requirement
  • Not Applicable -- indicates that the requirement does not apply to your business.  NOTE: If you choose this answer, you must provide an explanation in the "Comments" area for the question to explain why the requirement is not applicable.  [For example, if you don't write your own processing software you will answer NA to those questions and state you don't write your own software.]
  • Compensating Control -- indicates that your organization cannot meet the requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other, or compensating, controls.  NOTE: If you choose this answer, you must provide an explanation in the "Comments" area that meets the guidelines for Compensating Controls (see next section).

 Also with each question TrustKeeper provides help and guidance through the blue question mark icon.  This guidance was developed by Trustwave's Compliance Validation team, and is specifically designed for the SAQ version.

For those answering SAQ D this language comes directly from the PCI DSS SAQ D.

"While many of the organizations completing SAQ D will need to validate compliance with every PCI DSS requirement, some organizations with very specific business models may find that some requirements do not apply. For example, a company that does not use wireless technology in any capacity would not be expected to validate compliance with the sections of the PCI DSS that are specific to wireless technology. See the guidance below for information about the exclusion of wireless technology and certain other, specific requirements."


Exclusion: If you are required to answer SAQ D to validate your PCI DSS compliance, the following exceptions may be considered. See ―Non-Applicability below for the appropriate SAQ response.

The questions specific to wireless only need to be answered if wireless is present anywhere in your network (for example, Requirements 1.2.3, 2.1.1, and 4.1.1). Note that Requirement 11.1 (use of wireless analyzer) must still be answered even if wireless is not in your network, since the analyzer detects any rogue or unauthorized devices that may have been added without the merchant’s knowledge.

The questions specific to custom applications and code (Requirements 6.3-6.5) only need to be answered if your organization writes its own custom web applications.
The questions for Requirements 9.1-9.4 only need to be answered for facilities with ―sensitive areas as defined here. ―Sensitive areas refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes the areas where only point-of-sale terminals are present, such as the cashier areas in a retail store.

Non-Applicability: These and any other requirements deemed not applicable to your environment must be indicated with ―N/A"  An explanation must also be provided.


 

 

 

 

 

 

 

 

Using Compensating Controls

Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other, or compensating, controls.  Compensating controls must satisfy the following criteria:

  1.  Meet the intent and rigor of the original PCI DSS requirement.

  2. Provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. (See Navigating PCI DSS for the intent of each PCI DSS requirement.)

  3. Be "above and beyond" other PCI DSS requirements. (Simply being in compliance with other PCI DSS requirements is not a compensating control.)

  4. Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.

 When you select "Compensating Control" as the answer to a question in the SAQ, you are required to provide a description in the "Comments" area for that question.

  1. List constraints precluding compliance with the original requirement.
  2. Define the objective of the original control; identify the objective met by the compensating control.
  3. Identify any additional risk posed by the lack of the original control.
  4. Define the compensating controls and explain how they address the objectives of the original control and the increased risk, if any.
  5. Define how the compensating controls were validated and tested.
  6. Define process and controls in place to maintain compensating controls.
Caution: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance. 

 

Step 4: Compliance Reports

Once you have completed all of the above steps, you can see the results in the Overall Program Status bar.  If you pass both the scan and the SAQ, then you have fulfilled your PCI DSS validation requirement.  This section contains three confirmation documents you may want to use:

  •         The Certificate of Compliance is a one-page printable attestation of your achievement.
  •         The Executive Summary gives summary results for both your SAQ and Scan.
  •          The Trusted Commerce seal can be displayed on your web site to demonstrate to customers that your online business is secure.

  Download these reports and save them.  Next year when you have to answer the questions again you can refer to the documents.

Merchant Accounts | Credit Card Processing | Internet Credit Card Processing | Merchant Account | Accept Debit Cards
Accept Credit Cards | Credit Card Equipment | Credit Card Terminals| Credit Card Processing Rates | Contact CapitalQ

Navigating the SAQ Navigating the SAQ (314 KB)

PCI Overview PCI Overview (3583 KB)

Policy Sample for SAQ A Policy Sample for SAQ A (96 KB)

Policy Sample for SAQ B Policy Sample for SAQ B (110 KB)

Policy Sample for SAQ C Policy Sample for SAQ C (120 KB)

SAQ & Scan Guide SAQ & Scan Guide (401 KB)

SAQ A SAQ A (402 KB)

SAQ B SAQ B (360 KB)

SAQ C SAQ C (419 KB)

SAQ D SAQ D (1007 KB)



July 2010 Interchange Notification17-Jun-2010

July 2010 Interchange Notification Visa has announced, effective July 2010, assessme..

Unembossed Card Warning10-Jun-2010

Visa Unembossed Cards with Zero Floor Limit Visa has advised face-to-face merchants not to accep..

IRS Reporting Requirement Update22-May-2010

Introduction & Overview The Housing and Economic Recovery Act of 2008 is a new federal reg..

Interchange Changes Effective April 201021-Mar-2010

The two primary components of merchant processing fees are Interchange and Association Ass..




MEET ONLINE