What is PCI compliance?
PCI compliance refers to a set of data security standards, called PCI DSS (Payment Card Industry Data Security Standards), that apply to all organizations accepting, processing, storing, or transmitting cardholder data. These standards were developed to encourage the proper handling of sensitive data and deter fraud in the card payments ecosystem.
The main requirement for a business owner to prove compliance is completing the Annual PCI Self Assessment Questionnaire (SAQ). If a business processes cards via the internet, the business may also have to complete quarterly scans on their network.
The majority of the SAQ questions will be about your specific business's security practices, however there are some that will ask you about your Point of Sale (POS) system's setup and security. This guide will provide you with a walk through on how to complete your SAQ and scans, as well as provide answers to questions that are specific to your processing and CCI setup.
- Processing Method
- A summary of how and where you handle card payments
- Wireless connectivity and Encryption questions
- Third Party Responsibility questions
- Third Party Management of your POS
- Storing authentication or cardholder data questions
Schedule your Scan
How do I start?
Paystri has partnered with SecureTrust to provide you the tools to complete the SAQ online, as well as schedule any necessary scans. You should receive an email when it's time to attest to your annual compliance. You will need to log in to the SecureTrust Portal.
If this is your first time completing your PCI SAQ, you will need to complete your business profile. You will only need to do this once, the information will be saved for you next year, and you can simply update it if something has changed.
Select Manage on the business profile section to begin.
You will be taken to a page detailing next steps. Click Next until you are asked to pick an assessment method. Choose Guide Me then click Next.
You will need to select the ways you accept credit card payments. For CCI kiosks or card swipers on laundry machines, you will always select "My business has a physical location". If you have a setup to refill cards online, you should also choose "My business has a website".
The CCI point of sale does not store any credit card data. When you are asked if your business stores any sensitive credit card data electronically, answer based on your specific business practices.
Processing Method
When you are asked to select your processing method, choose Payment Application.
When you are asked what your payment application is, type Card Concepts Inc into the Filter bar. A link to add your own will appear. Type Card Concepts Inc in the bar below the link and then select Next. (Important: The box to type into may not have an outline. Just click where the example below is and it will provide you a cursor so you can type).
The next several questions will pertain to your specific business and practices.
A summary of how and where you handle card payments
When you arrive at the summary page, hover over the blue question marks for additional details on each description box. See below for some examples of what information to include.
The next several questions will pertain to your specific network and firewall security. If you are unsure of your settings, we recommend confirming with your IT or internet provider. If you need clarification on the questions, hover over the blue question marks for more details. You can also utilize the live chat function on the left hand side of the browser, or call SecureTrust at 1-800-363-1621 for assistance.
Wireless connectivity and Encryption questions
When you are asked whether any of your POS devices connect to your network using wi-fi, the answer is No unless you are using the FASCARD system from CCI with swipers on your washers and driers. Those swipers connect via wi-fi.
When you are asked the below encryption questions, the answer is yes for your CCI point of sale equipment.
Third Party Responsibility Questions
CCI and their distributors are considered your third-party reseller or integrator. The answer to the following third party questions is Yes.
CCI and its distributors ensure that the all of the below statements about securely configuring your POS equipment are true, so you can check off all four.
The next several questions will pertain to your computers and anti-virus protections. If you are unsure of your settings, we recommend confirming with whomever you use to manage IT. If you need clarification on the questions, hover over the blue question marks for more details. You can also utilize the live chat function on the left hand side of the browser, or call SecureTrust at 1-800-363-1621 for assistance.
Third Party Management of your POS
CCI and their distributors are considered your third-party reseller or integrator. The answer to whether a third-party manages or services your POS equipment is Yes.
When asked if the management is done remotely, select Yes, this management is done remotely over the internet.
When asked about the secure techniques used to safegaurd remote management, select: Strong encryption is used to secure the communication.
When asked about vendor supplied security patches for your point of sale, select: My vendor or reseller handles this.
The rest of the questions will be about your specific business practices, computer use and security, physical security, and employee security training. If you need clarification on the questions, hover over the blue question marks for more details. You can also utilize the live chat function on the left hand side of the browser, or call SecureTrust at 1-800-363-1621 for assistance.
Completing your Security Assessment Questionnaire
The answers you provide on the business profile will determine which Self Assessment Questionnaire (SAQ) you need to complete. The answers you have already provided are used to fill out the SAQ as thoroughly as possible, though there are likely to still be a handful of questions you will need to answer.
On your dashboard, under the Complete security assessment section, select Manage, then choose Answer Now.
Storing authentication or cardholder data questions
There will likely be several questions asking for confirmation that your equipment does not store authentication or cardholder data. Answer Yes to these. Your CCI equipment does not store any sensitive data after authorization.
The rest of the questions will will be about your specific business practices, computer use and security, physical security. If you need clarification on a question, there will be a blue information box with additional details. You can also utilize the live chat function on the left hand side of the browser, or call SecureTrust at 1-800-363-1621 for assistance.
Once you have completed the SAQ, you will need to attest to your compliance. Select: Confirm your attestation.
Schedule your Scan
Once your SAQ has been attested to, your final step is to set up any required security scans. Required scans need to completed every three months to maintain your compliance.
Under the Run a Network Perimeter Scan section, click Manage.
Select Schedule Scan. Then enter in your business's IP address. If you are completing the survey on a computer on your business's network, you can use the IP that the tool shows you. If not, you can find your IP address by googling "What's my IP" on a computer that is using your business's network. Select a date and time for the scan and then scroll down, click the box to confirm, and select Schedule Scan.
