Attestation of Compliance, SAQ A



Similar documents
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Attestation of Compliance for Onsite Assessments Service Providers

Self Assessment Questionnaire A Short course for online merchants

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Section 1: Assessment Information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance

Attestation of Compliance for Onsite Assessments Service Providers

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Attestation of Compliance for Onsite Assessments Service Providers

Attestation of Compliance for Onsite Assessments Service Providers

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Understanding the SAQs for PCI DSS version 3

How To Complete A Pci Ds Self Assessment Questionnaire

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

How To Protect Your Business From A Hacker Attack

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

PCI Compliance. Top 10 Questions & Answers

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE WORKBOOK. PCI SAQ TYPE B Level 4. Virtual Terminals

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

PCI DSS Gap Analysis Briefing

TERMINAL CONTROL MEASURES

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

Annual Trustwave PCI Self Assessment Questionnaire (SAQ) Educational Presentation. Understanding the Merchants Responsibilities for PCI Compliance

Frequently Asked Questions

Appendix 1 Payment Card Industry Data Security Standards Program

Payment Card Industry - Achieving PCI Compliance Steps Steps

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Section 1: Assessment Information

Why Is Compliance with PCI DSS Important?

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

FAQ s. SaferPayments. Be smart. Be compliant. Be protected. The benefits of compliance SaferPayments Non-compliance fees

PCI Compliance Top 10 Questions and Answers

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Registration and PCI DSS compliance validation

Merchant Card Processing Request Form

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

Payment Card Industry (PCI) Data Security Standard

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

Simplêfy Client Support and Information Services. PCI Compliance Guidebook

Property of PCI Compliance, LLC

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

Payment Card Industry Data Security Standard Self-Assessment Questionnaire B-IP Guide

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

PCI Data Security Standards

Your Compliance Classification Level and What it Means

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

PAI Secure Program Guide

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

University of Sunderland Business Assurance PCI Security Policy

Payment Card Industry Data Security Standards Compliance

Office of Finance and Treasury

FAQ S: TRUSTWAVE TRUSTKEEPER PCI MANAGER

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Validation of PCI Compliance Requirements NC Office of the State Controller June 23, 2015

An article on PCI Compliance for the Not-For-Profit Sector

How To Ensure Account Information Security

PCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers

COMPLETING PCI CERTIFICATION IN TRUSTKEEPER PCI MANAGER

PCI DSS Compliance Information Pack for Merchants

PCI DSS v3.0 SAQ Eligibility

Policies and Procedures

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

Payment Card Industry Data Security Standard (PCI DSS) v1.2

CREDIT CARD NUMBER HANDLING PROCEDURES POLICY October

Transcription:

Attestation of Compliance, SAQ A Instructions for Submission The merchant must complete this Attestation of Compliance as a declaration of the merchant s compliance status with the Payment Card Industry Data Security Standard (PCI DSS) Requirements and Security Assessment Procedures. Complete all applicable sections and refer to the submission instructions at PCI DSS Compliance Completion Steps in this document. Part 1. Merchant and Qualified Security Assessor Information Part 1a. Merchant Organization Information This section is left blank, because you are completing the questionaire yourself. Company Name: DBA(S): Contact Name: Title: Telephone: E-mail: Business Address: City: State/Province: Country: ZIP: URL: Part 1b. Qualified Security Assessor Company Information (if applicable) Enter your company information in this section. Check Mail/ Order/ Telephone order if you have a MOTO merchant account. Company Name: Lead QSA Contact Name: Sample Company John Smith Telephone: 303-555-1212 E-mail: john@samplecompany.com Business Address: 123 Any St. City: Denver State/Province: CO Country: USA ZIP: 80202 URL: www.samplecompany.com Title: Part 2. Type of merchant business (check all that apply): Retailer Telecommunication Grocery and Supermarkets Petroleum E-Commerce Mail/Telephone-Order Others (please specify): List facilities and locations included in PCI DSS review: 123 Any St., Denver CO 80202 CEO Enter the address listed above, and the address of any other office location where you process credit cards. Part 2a. Relationships Does your company have a relationship with one or more third-party agents (for example, gateways, web-hosting companies, airline booking agents, loyalty program agents, etc.)? Does your company have a relationship with more than one acquirer? Yes No Click "yes" here to disclose your relationship with PaySimple. PCI DSS SAQ A, v2.0, Attestation of Compliance October 2010 Copyright 2010 PCI Security Standards Council LLC Page 1 Yes No Click "No" here if your merchant account with PaySimple is the only one you have.

If you enter all transactions directly into PaySimple, you can check this box. PaySimple is PCI Compliant, so you can check this box Part 2b. Eligibility to Complete SAQ A Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because: Merchant does not store, process, or transmit any cardholder data on merchant systems or premises but relies entirely on third party service provider(s) to handle these functions; The third party service provider(s) handling storage, processing, and/or transmission of cardholder data is confirmed to be PCI DSS compliant; Merchant does not store any cardholder data in electronic format; and If Merchant does store cardholder data, such data is only in paper reports or copies of receipts and is not received electronically. This box must be checked in order to submit the form. If you feel you can't check it, contact us. Part 3. PCI DSS Validation Based on the results noted in the SAQ A dated (completion date), (Merchant Company Name) asserts the following compliance status (check one): Compliant: All sections of the PCI SAQ are complete, and all questions answered yes, resulting in an overall COMPLIANT rating, thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS. Non-Compliant: Not all sections of the PCI SAQ are complete, or some questions are answered no, resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS. Target Date for Compliance: An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before completing Part 4, since not all payment brands require this section. You must check all 3 of these boxes to confirm that you are compliant, that you have answered all questions honestly, and that you will remain compliant. Part 3a. Confirmation of Compliant Status Merchant confirms: PCI DSS Self-Assessment Questionnaire A, Version (SAQ version #), was completed according to the instructions therein. All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment. I have read the PCI DSS and I recognize that I must maintain full PCI DSS compliance at all times. Make certain an owner or officer signs and dates the form. Part 3b. Merchant Acknowledgement Signature of Merchant Executive Officer John Smith Merchant Executive Officer Name Sample Company Merchant Company Represented Date CEO Title 04/15/2011 PCI DSS SAQ A, v2.0, Attestation of Compliance October 2010 Copyright 2010 PCI Security Standards Council LLC Page 2

Part 4. Action Plan for Non-Compliant Status Please select the appropriate Compliance Status for each requirement. If you answer NO to any of the requirements, you are required to provide the date Company will be compliant with the requirement and a brief description of the actions being taken to meet the requirement. Check with your acquirer or the payment brand(s) before completing Part 4, since not all payment brands require this section. PCI DSS Requirement Description of Requirement 9 Restrict physical access to cardholder data 12 Maintain a policy that addresses information security for all personnel Compliance Status (Select One) YES NO Remediation Date and Actions (if Compliance Status is NO ) You should check Yes for both these questions to certify compliance. If you feel you need to check, no, please contact us. Do not submit the form. PCI DSS SAQ A, v2.0, Attestation of Compliance October 2010 Copyright 2010 PCI Security Standards Council LLC Page 3

Self-Assessment Questionnaire A Don't forget to enter the date you completed the form. Note: The following questions are numbered according to PCI DSS requirements and testing procedures, as defined in the PCI DSS Requirements and Security Assessment Procedures document. Implement Strong Access Control Measures Requirement 9: Restrict physical access to cardholder data Date of Completion: 04/15/2011 PCI DSS Question Response: Yes No Special 9.6 Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? For purposes of Requirement 9, media refers to all paper and electronic media containing cardholder data. 9.7 (a) Is strict control maintained over the internal or external distribution of any kind of media? (b) Do controls include the following: 9.7.1 Is media classified so the sensitivity of the data can be determined? 9.7.2 Is media sent by secured courier or other delivery method that can be accurately tracked? 9.8 Are logs maintained to track all media that is moved from a secured area, and is management approval obtained prior to moving the media (especially when media is distributed to individuals)? 9.9 Is strict control maintained over the storage and accessibility of media? 9.10 Is all media destroyed when it is no longer needed for business or legal reasons? Is destruction performed as follows: 9.10.1 (a) Are hardcopy materials cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed? (b) Are containers that store information to be destroyed secured to prevent access to the contents? (For example, a to-be-shredded container has a lock preventing access to its contents.) N/A For each of these questions, enter ONLY ONE answer-- Yes, or N/A. If you enter N/A you will need to provide an explanation on the last page of the form. If you feel you need to check "no", please contact us for assistance, do not submit the form. Not Applicable (N/A) or Compensating Control Used. Organizations using this section must complete the Compensating Control Worksheet or Explanation of Non-Applicability Worksheet, as appropriate, in If you need an explanation of what each question means, use the help icons in the Appendix. the.pdf form you downloaded. PCI DSS SAQ A, v2.0, Self-Assessment Questionnaire October 2010 Copyright 2010 PCI Security Standards Council LLC Page 4

Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security for all personnel PCI DSS Question Response: Yes No Special 12.8 If cardholder data is shared with service providers, are policies and procedures maintained and implemented to manage service providers, as follows? 12.8.1 Is a list of service providers maintained? 12.8.2 Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess? 12.8.3 Is there an established process for engaging service providers, including proper due diligence prior to engagement? 12.8.4 Is a program maintained to monitor service providers PCI DSS compliance status? PaySimple is your Service Provider, and by processing credit card transactions via our system, you do share cardholder information with us. Thus you should not enter N/A for any of these questions. If you have the appropriate policy in place, check "Yes" for each of the questions. If you feel you need to check "No" please contact us for assistance, do not submit the form. If you need an explanation of what each question means, use the help icons in the.pdf form you downloaded. You can download a security policy template from our website. Not Applicable (N/A) or Compensating Control Used. Organizations using this section must complete the Compensating Control Worksheet or Explanation of Non-Applicability Worksheet, as appropriate, in the Appendix. PCI DSS SAQ A, v2.0, Self-Assessment Questionnaire October 2010 Copyright 2010 PCI Security Standards Council LLC Page 5

Appendix D: Explanation of Non-Applicability If N/A or Not Applicable was entered in the Special column, use this worksheet to explain why the related requirement is not applicable to your organization. Requirement Example: 12.8 Reason Requirement is Not Applicable Cardholder data is never shared with service providers. 9.7.2 Cardholder data is never transported via courier. As we entered N/A for question 9.7.2 above, we enter that number in the Requirement field, and a short explanation of why the question is not applicable to our organization. Please print and fax ALL pages to PaySimple at 303-395-1437 after you have filled it out completely and had it signed by an officer. Thank You! PCI DSS SAQ A, v2.0, Appendix D: Explanation of Non-Applicability October 2010 Copyright 2010 PCI Security Standards Council LLC Page 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information