You are being asked to fill out this compliance questionnaire for your brick-and-mortar location. The answers given here are for your brick-and-mortar Merchant ID.
PLEASE READ: PCI DSS 4.0 update
We have updated our profile process to comply with the requirements of version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS).
If you have completed this process previously, please re-confirm your answers. You may be required to answer some additional questions in order to correctly determine your compliance requirements under the latest version of the standard.
Please refer to the PCI Security Standards Council PCI DSS v4.0 Resource Hub for more information.
We have also made some additional resources available here.
ANSWER: I understand
Choose an assessment method
Please select the method by which you would like to provide your PCI DSS Self Assessment Questionnaire (SAQ) or Attestation of Compliance (AoC)
ANSWER: Guide Me - Select this option to use our profiling tool to help you determine the scope of your PCI DSS compliance requirements and to complete your PCI DSS assessment.
How do you accept payment cards?
Please select all of the ways you take payment cards in your business today. Please note this only refers to branded cards (e.g. Visa and Mastercard) not alternative payment types (e.g. PayPal and Google Wallet are not applicable)
ANSWER:
- Face to face (the customer is present and the payment card is inserted, tapped or swiped to complete the transaction. This includes unattended kiosks.)
- Mail or telephone order card payments
How you accept your mail and telephone order customer card payments
My customers provide their card number by:
ANSWER: Phone
How you accept card payments via mail and telephone order
Do you outsource your telephone or mail ordering service including payment capture to a third party?
ANSWER: No
Transactions over the telephone
How do you accept payments over the phone?
ANSWER: My customers give their payment card number over the phone to a person in my organization or call centre
Your telephone system call handling
Do you record calls made and received by your business?
ANSWER: No
Storage of Electronic Cardholder Data
Do you store full card numbers in electronic format?
ANSWER: No
Your employees access to data
Do any of your employees have access to any electronically stored cardholder data?
ANSWER: No
How you accept card payments
Please select all of the methods that you use to accept card payments in your business.
ANSWER:
- I use an integrated Point of Sale (POS) system that includes a connected hardware terminal; payment data is routed through the POS to the processor
Use of point to point encryption solution
Are any of your payment acceptance methods using a PCI SSC Validated Point to Point Encryption (P2PE) Solution? (Please note although a terminal may be P2PE enabled this does not automatically equate to a P2PE validated solution. Please reference the PCI SSC website www.pcissc.org for a list of validated P2PE Solutions. If your payment solution is not listed, please choose 'No' for this question.)
ANSWER: Yes
Your point to point encryption solution
Have you and/ or your POS solution provider ensured that the P2PE Solution is implemented and operated in line with the P2PE Instruction Manual (PIM) supplied by the P2PE Solution Provider(s)?
ANSWER: Yes
Payment Methods using Point to Point Encryption
Select which of your payment methods use a PCI Validated P2PE Solution (choose all that apply):
ANSWER:
- Integrated point of sale (POS) system
Your Point-to-Point Encryption system
Please select your P2PE solution from the list
ANSWER: Ingenico, Inc - Ingenico One P2PE Solution
(Type "INGENICO" in the filter box to quickly find that option, and then check the box and click Next.)
Your Ingenico One P2PE PTS device
Please select your PCI PIN Transaction Security (PTS) device utilized within the PCI validated P2PE Solution.
ANSWER: Ingenico, Lane/7000
(Type "7000" in the filter box to quickly find that option, and then check the box and click Next.)
Your customer's payment card authentication data
Do you receive the security/validation/verification code from your customers to authorise their transactions? This is the three or four digit number located in either the signature panel of your customer's payment card or on the front of the card.
ANSWER: Yes
Your customer's payment card authentication data
Do you store the payment card security/validation/verification code in any electronic format? (e.g. databases, files, emails, scanned copies etc?)
ANSWER: No
Do you securely destroy the payment card security/validation/verification code once the transaction has been authorised?
ANSWER: Yes
Printed paper receipts and reports
Do you print, receive or have access to paper receipts or reports that contain the full payment card number?
ANSWER: No
Other uses of card numbers
Does anyone in your organisation send or receive full card numbers via email or instant messaging?
ANSWER: No
Does your company otherwise store, transmit or receive cardholder data electronically in any other way and for any other purpose? This could be via CD-ROM, USB drive or an internet network.
ANSWER: No
Third Party Managed System Service Providers
Do you have relationships with one or more third-party service providers that manage system components included in the scope of this assessment, for example, via network security control services, anti-malware services, security incident and event management (SIEM), contact and call centers, web-hosting services, and IaaS, PaaS, SaaS, and FaaS cloud provider?
ANSWER: No
Other Third Party Service Providers that may impact cardholder data security
Do you have relationships with one or more third-party service providers that could impact the security of your company's cardholder data environment (CDE)? For example, vendors providing support via remote access, and/or bespoke software developers.
ANSWER: No
Your company policy for information security
To handle payment cards you are required by the Payment Card Industry Data Security Standard (PCI DSS) to have an Information Security Policy in place for your organisation. This must cover all relevant areas of the standard. If you do not currently have one, we can provide you with a policy template below.
ANSWER:
- I do not have an Information Security Policy in place at the moment, I will implement a security policy using the template provided. Download the FREE Information Security Policy
Password policy
Do you enforce a minimum password length of seven characters, containing both numeric and alphabetic characters, for user accounts on all POS devices, computers and systems in your business?
ANSWER: Yes
A summary of how and where you handle card payments
Please provide the information requested below. This will form part of your Attestation of Compliance
List your business premises type(s) and a summary of locations that are relevant to your PCI DSS assessment (eg, retail outlets, corporate offices, data centres, call centres etc..)
ANSWER: Retail Business
How and in what capacity does your business store, process and/or transmit cardholder data?
ANSWER: Integrated POS system and terminal
Provide a high level description of your overall business environment, applicable to your PCI DSS assessment. For example describe the type of equipment you use for card processing, storage and transmission; such as POS devices any databases and webservers, include a description as to how they connect both externally and any internal connections.
ANSWER: We use an Ingenico Lane 7000.
You will now have finished the business profile portion. You will now proceed to complete the security assessment.
Click on Manage underneath Complete security assessment.
You will click Next to see the questions
You will then click Yes for each of the questions and if it asks for a date enter today's date. You will click Next until all 3 of the questions are answered Yes.
Then click Next one final time.
It will now take you to the final part of this form which is to confirm your compliance.
You need to scroll down the page and make sure every collapsable menu has been filled out. You will see a blue checkmark icon if it has already been filled out. If Merchant Executive Officer has a red x icon, for example, you would click on it to expand and then enter your Job Title as that information is missing. You will see once you add in your Job Title it will add a blue checkmark icon.
The final step is to click on the Attestation drop-down menu and select Confirm your Attestation
It will take you back to the main screen and tell you that You're compliant and that's what you want to see.