Section 1: Assessment Information Instructions for Submission Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Part 1. Merchant and Qualified Security Assessor Information Part 1a. Merchant Organization Information Sample Company, Inc. The Sample Company Sam Pell Owner 303-555-1234 spell@sampleco.com 123 Any St. Denver CO USA 80202 www.samplecompany.com Part 1b. Qualified Security Assessor Company Information (if applicable) Part 2. Executive Summary Part 2a. Type of Merchant Business (check all that apply) Note: If your organization has a payment channel or process that is not covered by this SAQ, consult your acquirer or payment brand about validation for the other channels. PCI DSS SAQ A, v3.0 Section 1: Assessment Information February 2014 2006-2014 PCI Security Standards Council, LLC. All Rights Reserved. Page 1
Part 2b. Description of Payment Card Business Part 2c. Locations We use the PCI Compliant PaySimple service for credit card processing, transmission, and storage. We also store cardholder data on paper authorization forms which are kept in a locked file drawer with access granted on a business-need basis only. Office Type of facility Denver, CO USA Location(s) of facility (city, country) Part 2d. Payment Application Payment Application Name Version Number Application Vendor Is application PA-DSS Listed? PA-DSS Listing Expiry date (if applicable) Part 2e. Description of Environment high-level For example: Connections into and out of the cardholder data environment (CDE). Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable. Desktop/Laptop Computers connect via the Internet to the PCI Compliant PaySimple service for processing credit card transactions. A locked file drawer with business-need-to-know access is used to store paper recurring billing authorization forms that contain cardholder data. (Refer to Network Segmentation section of PCI DSS for guidance on network segmentation) PCI DSS SAQ A, v3.0 Section 1: Assessment Information February 2014 2006-2014 PCI Security Standards Council, LLC. All Rights Reserved. Page 2
Part 2f. Third-Party Service Providers If Yes:. Name of service provider: PaySimple, Inc. Description of services provided: Payment Processing Note: Requirement 12.8 applies to all entities in this list. Part 2g. Eligibility to Complete SAQ A and Additionally, for e-commerce channels: PCI DSS SAQ A, v3.0 Section 1: Assessment Information February 2014 2006-2014 PCI Security Standards Council, LLC. All Rights Reserved. Page 3
Section 2: Self-Assessment Questionnaire A Note: The following questions are numbered according to PCI DSS requirements and testing procedures, as defined in the document. Self-assessment completion date: Requirement 9: Restrict physical access to cardholder data PCI DSS Question For purposes of Requirement 9, media refers to all paper and electronic media containing cardholder data. Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A PCI DSS SAQ A, v3.0 Section 2: Self-Assessment Questionnaire February 2014 2006-2014 PCI Security Standards Council, LLC. All Rights Reserved. Page 4
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A PCI DSS SAQ A, v3.0 Section 2: Self-Assessment Questionnaire February 2014 2006-2014 PCI Security Standards Council, LLC. All Rights Reserved. Page 5
Maintain an Information Security Policy Requirement 12: Don't Have a Security Policy? Click Here to Download a Template. Maintain a policy that addresses information security for all personnel Note: For the purposes of Requirement 12, personnel refers to full-time part-time employees, temporary employees and personnel, and contractors and consultants who are resident on the entity s site or otherwise have access to the company s site cardholder data environment. Response 0RXVH RYHU WKH KHOS LFRQV IRU D GHWDLOHG H[SODQDWLRQ RI HDFK TXHVWLRQ PCI DSS Question Expected Testing (Check one response for each question) Yes Yes with CCW No N/A $UH SROLFLHV DQG SURFHGXUHV PDLQWDLQHG DQG LPSOHPHQWHG WR PDQDJH VHUYLFH SURYLGHUV ZLWK ZKRP FDUGKROGHU GDWD LV VKDUHG RU WKDW FRXOG DIIHFW WKH VHFXULW\ RI FDUGKROGHU GDWD DV IROORZV,V D OLVW RI VHUYLFH SURYLGHUV PDLQWDLQHG" 5HYLHZ SROLFLHV DQG SURFHGXUHV 2EVHUYH SURFHVVHV 6HOHFW <HV IRU DOO RI WKH TXHVWLRQV $V 3D\6LPSOH LV \RXU VHUYLFH SURYLGHU DQVZHULQJ 1 $ LV QRW YDOLG LQ WKLV VHFWLRQ 5HYLHZ OLVW RI VHUYLFH SURYLGHUV,V D ZULWWHQ DJUHHPHQW PDLQWDLQHG WKDW LQFOXGHV DQ DFNQRZOHGJHPHQW WKDW WKH VHUYLFH SURYLGHUV DUH UHVSRQVLEOH IRU WKH VHFXULW\ RI FDUGKROGHU GDWD WKH VHUYLFH SURYLGHUV SRVVHVV RU RWKHUZLVH VWRUH SURFHVV RU WUDQVPLW RQ EHKDOI RI WKH FXVWRPHU RU WR WKH H[WHQW WKDW WKH\ FRXOG LPSDFW WKH VHFXULW\ RI WKH FXVWRPHU V FDUGKROGHU GDWD HQYLURQPHQW" 2EVHUYH ZULWWHQ DJUHHPHQWV 5HYLHZ SROLFLHV DQG SURFHGXUHV,I \RX IHHO \RX QHHG WR FKHFN QR SOHDVH FRQWDFW XV IRU DVVLVWDQFH GR QRW VXEPLW WKH IRUP Note: The exact wording of an acknowledgement will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgement does not have to include the exact wording provided in this requirement.,v WKHUH DQ HVWDEOLVKHG SURFHVV IRU HQJDJLQJ VHUYLFH SURYLGHUV LQFOXGLQJ SURSHU GXH GLOLJHQFH SULRU WR HQJDJHPHQW",V D SURJUDP PDLQWDLQHG WR PRQLWRU VHUYLFH SURYLGHUV 3&, '66 FRPSOLDQFH VWDWXV DW OHDVW DQQXDOO\" PCI DSS SAQ A, v3.0 Section 2: Self-Assessment Questionnaire 2006-2014 PCI Security Standards Council, LLC. All Rights Reserved. 2EVHUYH SURFHVVHV 5HYLHZ SROLFLHV DQG SURFHGXUHV DQG VXSSRUWLQJ GRFXPHQWDWLRQ 2EVHUYH SURFHVVHV 5HYLHZ SROLFLHV DQG SURFHGXUHV DQG VXSSRUWLQJ GRFXPHQWDWLRQ February 2014 Page 6
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A PCI DSS SAQ A, v3.0 Section 2: Self-Assessment Questionnaire February 2014 2006-2014 PCI Security Standards Council, LLC. All Rights Reserved. Page 7
Appendix C: Explanation of Non-Applicability If the N/A (Not Applicable) column was checked in the questionnaire, use this worksheet to explain why the related requirement is not applicable to your organization. Requirement Reason Requirement is Not Applicable 9.6.2 Cardholder data is never transported via courier. As we entered N/A for question 9.6.2 above, we enter that number in the "Requirement" field, and in the "Reason..." field provide a short explanation of why the question is not applicable to our organization. PCI DSS SAQ A, v3.0 Section 2: Self-Assessment Questionnaire February 2014 2006-2014 PCI Security Standards Council, LLC. All Rights Reserved. Page 10
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation (completion date) (date)check one): Check the "Compliant" box. If for any reason you feel you cannot check this box, do not submit the form; contact us for assistance. Compliant: COMPLIANT(Merchant Company Name) Non-Compliant: NON-COMPLIANT(Merchant Company Name) Target Date Check with your acquirer or the payment brand(s) before completing Part 4. Compliant but with Legal exception: If checked, complete the following: Affected Requirement Details of how legal constraint prevents requirement being met Check each box. If for any reason you feel you cannot check all boxes, do not submit the form; contact us for assistance. Part 3a. Acknowledgement of Status Signatory(s) confirms: (Check all that apply) (version of SAQ) Mouse over the help icon for a detailed explanation of each item. PCI DSS SAQ A, v3.0 Section 3: Validation and Attestation Details February 2014 2006-2014 PCI Security Standards Council, LLC. All Rights Reserved. Page 11
Leave this box unchecked. PaySimple SAQ A merchants are not required to do AVS scans. Part 3a. Acknowledgement of Status Check this box. PaySimple's PCI Compliance certification means that an independent third party has verified that there is no evidence of full track data, CAV2, CVC2, CID, CVV2, or PIN data stored on our system after authorization. (ASV Name) Have the Authorized Signer for your NPC Merchant Services Agreement digitally sign here, and enter date, name, and title. Part 3b. Merchant Attestation Sam Pell Signature of Merchant Executive Officer Merchant Executive Officer Name: Digitally signed by Sam Pell DN: cn=sam Pell, o=sample Company, ou=owner, email=spell@sampleco.com, c=us Date: 2015.01.21 13:18:57-07'00' Sam Pell Date: Title: 01/21/2015 Owner Part 3c. QSA Acknowledgement (if applicable) As you completed this form yourself, leave this section blank. Signature of QSA Date: QSA Name: QSA Company: Part 3d. ISA Acknowledgement (if applicable) As a small business, you will not have an Internal Security Assessor (ISA). Leave this section blank. Signature of ISA ISA Name: Date: Title: PCI DSS SAQ A, v3.0 Section 3: Validation and Attestation Details February 2014 2006-2014 PCI Security Standards Council, LLC. All Rights Reserved. Page 12
Part 4. Action Plan for Non-Compliant Requirements Check "yes" for both sections to indicate that you are compliant. If for any reason you feel you cannot check yes, do not submit the form; contact us for assistance. Check with your acquirer or the payment brand(s) before completing Part 4. PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements YES NO Remediation Date and Actions Save the completed and digitally signed form to your computer. Then click this button to go to the PaySimple Support Center where you can securely upload the form. PCI DSS SAQ A, v3.0 Section 3: Validation and Attestation Details February 2014 2006-2014 PCI Security Standards Council, LLC. All Rights Reserved. Page 13