Print

PCI Compliance Steps for Non-IP Merchants

PCI FAQ

CapitalQ and Elavon have chosen Trustwave's TrustKeeper to assist merchants with becoming PCI compliant.  If you are already compliant with another vendor you can register and upload your compliance information.

These steps are for merchants who process with a stand alone dial up terminal, a CDMA, GSM or GRPS terminal or Touchtone merchants.

TrustKeeper's website provides detailed help when you are logged in.  Here is a link to see their complete help document without having to log into their website.  See Complete Guide.

Step 1: Register
For additional assistance with registration watch this short presentation about the enrollment process.


    Step 2: Complete your Merchant Profile

    The merchant profile is a short survey about your business.  Completing it helps TrustKeeper customize the process for you.  For a walk through tutorial click here.

    Some things you will need to know; you are a Level 4 merchant and the Acquiring Bank is US Bank.

    You will need the manufacturer/vendor name and model/version information of your credit card equipment. 


    Step 3: Complete the Compliance Questionnaire

    The Self-Assessment Questionnaire (SAQ) is a set of questions that test whether your business is in compliance with the PCI DSS.   If you are storing credit card data electronically,  regardless of how you process or if it is encrypted, you end up with SAQ D and you must have a Scan completed on your network.

    In each SAQ there are questions about your written Card Security Policy.   It has been our experience that most merchants do not have a written policy.  We have a guide to show what SAQ you most likely will answer need and if a Scan is required.    This guide also has links to sample security polices as well as the SAQ itself so you can review before going online.    We also have Navigating the SAQ to help explain the reasoning behind the questions.

    There are 12 Requirements in the PCI Data Security Standard.   Each SAQ addresses some of the requirements.  SAQ D addresses all of them.  There are some questions that will not apply to you.  In those instances choose NA and state why it does not apply.  If you have to say No to a question then you have a policy or procedure that must be changed so that you can comply with the standard.

    Requirements 1-12

    The questions in sections 1-12 are derived from the PCI DSS.  Next to each question, there is a specific numeric reference to the PCI DSS requirement to which you can refer for more information.

     For each of the questions in sections 1-12, there are four possible answers:

    • Yes -- indicates that your business complies with the requirement
    • No -- indicates that your business does not fully comply with the requirement
    • Not Applicable -- indicates that the requirement does not apply to your business.  NOTE: If you choose this answer, you must provide an explanation in the "Comments" area for the question to explain why the requirement is not applicable.  [For example, if you don't write your own processing software you will answer NA to those questions and state you don't write your own software.]
    • Compensating Control -- indicates that your organization cannot meet the requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other, or compensating, controls.  NOTE: If you choose this answer, you must provide an explanation in the "Comments" area that meets the guidelines for Compensating Controls (see next section).

     Also with each question TrustKeeper provides help and guidance through the blue question mark icon.  This guidance was developed by Trustwave's Compliance Validation team, and is specifically designed for the SAQ version. 


    Caution: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance.

    For those answering SAQ D this language comes directly from the PCI DSS SAQ D.

    "While many of the organizations completing SAQ D will need to validate compliance with every PCI DSS requirement, some organizations with very specific business models may find that some requirements do not apply. For example, a company that does not use wireless technology in any capacity would not be expected to validate compliance with the sections of the PCI DSS that are specific to wireless technology. See the guidance below for information about the exclusion of wireless technology and certain other, specific requirements."


    Exclusion: If you are required to answer SAQ D to validate your PCI DSS compliance, the following exceptions may be considered. See ―Non-Applicability below for the appropriate SAQ response.

    The questions specific to wireless only need to be answered if wireless is present anywhere in your network (for example, Requirements 1.2.3, 2.1.1, and 4.1.1). Note that Requirement 11.1 (use of wireless analyzer) must still be answered even if wireless is not in your network, since the analyzer detects any rogue or unauthorized devices that may have been added without the merchant’s knowledge.

    The questions specific to custom applications and code (Requirements 6.3-6.5) only need to be answered if your organization writes its own custom web applications.
    The questions for Requirements 9.1-9.4 only need to be answered for facilities with ―sensitive areas as defined here. ―Sensitive areas refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes the areas where only point-of-sale terminals are present, such as the cashier areas in a retail store.

    Non-Applicability: These and any other requirements deemed not applicable to your environment must be indicated with ―N/A"  An explanation must also be provided.

     
    Step 5: Compliance Reports

    Once you have completed all of the above steps, you can see the results in the Overall Program Status bar.  If you pass both the scan and the SAQ, then you have fulfilled your PCI DSS validation requirement.  This section contains three confirmation documents you may want to use:

    •         The Certificate of Compliance is a one-page printable attestation of your achievement.
    •         The Executive Summary gives summary results for both your SAQ and Scan.
    •          The Trusted Commerce seal can be displayed on your web site to demonstrate to customers that your online business is secure.

     Download these reports and save them.  Next year when you have to answer the questions again you can refer to the documents.

    Comment


    No Very





    Captcha Image

    Merchant Accounts | Credit Card Processing | Internet Credit Card Processing | Merchant Account | Accept Debit Cards
    Accept Credit Cards | Credit Card Equipment | Credit Card Terminals| Credit Card Processing Rates | Contact CapitalQ

    Navigating the SAQ Navigating the SAQ (314 KB)

    PCI Overview PCI Overview (3583 KB)

    Policy Sample for SAQ A Policy Sample for SAQ A (96 KB)

    Policy Sample for SAQ B Policy Sample for SAQ B (110 KB)

    Policy Sample for SAQ C Policy Sample for SAQ C (120 KB)

    SAQ & Scan Guide SAQ & Scan Guide (401 KB)

    SAQ A SAQ A (402 KB)

    SAQ B SAQ B (360 KB)

    SAQ C SAQ C (419 KB)

    SAQ D SAQ D (1007 KB)



    July 2010 Interchange Notification17-Jun-2010

    July 2010 Interchange Notification Visa has announced, effective July 2010, assessme..

    Unembossed Card Warning10-Jun-2010

    Visa Unembossed Cards with Zero Floor Limit Visa has advised face-to-face merchants not to accep..

    IRS Reporting Requirement Update22-May-2010

    Introduction & Overview The Housing and Economic Recovery Act of 2008 is a new federal reg..

    Interchange Changes Effective April 201021-Mar-2010

    The two primary components of merchant processing fees are Interchange and Association Ass..




    MEET ONLINE