Overview

Independent of which version of Card Defender you are using, answering PCI Compliance questions can be challenging.  This article aims to arm you with what you need to know in order to confidently answer questions related to your PCI compliance.

Preface

If you are completing your PCI compliance application using PCI Plus: please contact the PCI Plus support team at 800-213-8918

Terminology

PCI Compliance

PCI DSS - 

SAQ - Self Assessment Questionnaire

Attestation of Compliance - 

Compensating Controls 

Each major processor, and even many resellers end up working with different companies to help perform the SAQ process and typically an external vulnerability scan in the form of an online questionnaire.  

At its heart though, the PCI Security Standards Council requires a specific set of Self Assessment Questionnaires (SAQs).  With the development of Card Defender, built on top of PAX technology, our retailers qualify for the SAQ known as SAQ B-IP.

Here is the URL to the PSI Security Standards Council website where the latest documentation can always be found at https://www.pcisecuritystandards.org/document_library/.

Per the Self-Assessment Questionnaire Instructions and Guidelines (v 4.0), Card Definder merchants qualify for an SAQ B-IP (v4.0) with the following criteria:

• Merchants using only standalone, PCI-listed approved PIN Transaction Security (PTS) point-of-interaction (POI) devices with an IP connection to the payment processor
  • See PAX device PTS POI Certification listing for PCI Compliance for a full listing of certifications for devices supported by Card Defender.
• Payment devices are separated (segmented) from other network devices
• The only transmission of Account Data is to the Payment Processor, without another device used to transmit the data
• No electronic account data storage.
• Not applicable to e-commerce channels.
• Not applicable to service providers.

Procedure

Section 1: Assessment Information

1. Contact Information- The official business info for the Retail Merchant being assessed and the individual(s) performing the assessment
   1. Accessed Merchant - Enter the official information for the Retail Merchant being assessed
   2. Assessor - Enter information about the individual(s) performing the assessment.  If a professional assessment company is NOT used, you may enter "Not Applicable" for the ISA name(s), Company name, Company mailing address, Company website, and Assessor certificate number fields.
2. Executive Summary
   1. Merchant Business Payment Channels - All methods of payment you use will need to be validated.  Typically you will have different merchant ID's for e-shop vs retail.  If you also accept payments over the telephone you will be required to answer some additional questions later in the process and ensure additional security practices are carried out in your organizations.  Most retailers will answer only "Card-present", and "No" to the follow-up question.
   2. Description of Role with Payment Cards - Here they are looking to capture any process used by a retailer when capturing credit cards.  For MOST retail merchants, this will mean entering a Channel of "Card-present" and entering a description similar to "Customer directly insert and authorizes payments.  Employees do not handle any cardholder data except when assistance has been requested by the customer."
   3. Description of Payment Card Environment - 
   4. In-Scope Locations / Facilities
   5. PCI SCC Validation Products and Solutions
   6. Third-Party Service Providers
   7. Summary of Assessment
   8. Eligibility to Complete SAQ B-IP

Section 2: Self-Assessment Questionaire B-IP

References

• PAX device PTS POI Certification listing for PCI Compliance
• [PCI Security Standards Council] - Self-Assessment Questionnaire Instructions and Guidelines (v 4.0)
• [PCI Security Standards Council] - Self-Assessment Questionnaire B-IP and Attestation of Compliance
• [PCI Security Standards Council] -