PCI Tutorial
You, as the merchant account owner, must complete a PCI compliance Self Assessment Questionnaire (SAQ) once a year in order to be PCI compliant and avoid paying a monthly non-compliance fee. Even if you are not actively using eCatholic Payments at the moment, your CardConnect account is still subject to compliance. To get started with the SAQ, follow the instructions below.
Log into your CardPointe account. The person who was submitted as the signer on the merchant account during the application process must complete this PCI Compliance Questionnaire. They have received the CardPointe user account credentials.
*If an email was forwarded to you by the signer, the link will not work for you. The signer must add you to the CardPointe account before proceeding*
Once you are logged in, click on "My Account". Under PCI Status, you can click on the hyperlink labeled "Not Compliant" (pictured below) in-line with your main Merchant ID.
After you click on "Not Compliant", you will be redirected to the SecureTrust website to start the PCI Compliance process:
Begin by entering your Business Information and Primary Contact Information.
When you are done, click Next.
Then, you will be prompted to watch a short video about PCI Compliance (pictured below). When you are ready, click Start Business Profile to get started.
On this screen (pictured below), you can read the statement and click Next.
Choose Expert to begin the PCI Questionnaire. Click Next (pictured below).
Select Self Assessment Questionnaire (SAQ) A:
Click Next
- Service Providers: Select Yes
- Multiple Acquirer: Select No
Select Next
- Password Policy: Select Yes
Select: Next
Summary of how and where you handle card payments:
List your business premises type(s) and a summary of locations that are relevant to your PCI DSS assessment:
- Enter: “Merchant is e-commerce and outsources all credit card processing".
Generally, how does your business store, process and/or transmit cardholder data?
- Enter: "Merchant is e-commerce and outsources all credit card handling through a PSP".
Briefly describe the environment and/or systems covered by this assessment:
- Enter: "All processing is done through third-party software."
Then click Next.
You will then be directed to your dashboard (pictured below) to finish the second part:
Complete Security Assessment:
To get started, click Manage and then select Answer now:
Some of the following questions have been answered for you. You can click Next through those, but use the following to answer the ones that have not.
For your reference, they are also listed below at the end of this tutorial.
Build and Maintain a Secure Network and Systems: Some of questions have been answered for you.
Select: Next
Protect Account Data:
3.1.1: Select Yes
3.2.1: Select N/A and enter "Does not apply"
Select: Finish
All other questions in this section have been answered for you. Select: Next
Maintain a Vulnerability Management Program:
6.3.1: Select N/A and enter "Does not apply"
Select: Finish
All other questions in this section have been answered for you. Select: Next
Implement Strong Access Control Measures:
8.3.5: Select: Yes
Select: Finish
8.3.7: Select: Yes
8.3.9: Select: Yes OR if you do use 2-factor authentication, you can select N/A and enter 'Does not apply'.
9.4.1.1: Select N/A and enter "Does not apply"
Select: Finish
All other questions in this section have been answered for you. Select: Next
Maintain an Information Security Policy:
All questions in this section have been answered for you. Select: Next
When you are finished, select “Confirm your compliance” on the right side panel.
Complete the “Merchant Executive Officer” portion and then click “Confirm your attestation” button.
Congrats! You are compliant for 1 year! CardConnect will start sending you reminders about 90 days out from your expiration date. Be sure to revisit this tutorial when that time comes!
If you started the process and did not finish, you will receive an email like the one below. We recommend accessing the PCI Compliance Questionnaire using the top link (CardPointe).
Below are the questions that were answered previously. These are just for your reference, no action is needed.
Build and Maintain a Secure Network and Systems
2.1(a): Are vendor-supplied defaults always changed before installing a system on the network?
- N/A and type in 'does not apply', then select Finish
2.1(b): Are unnecessary default accounts removed or disabled before installing a system on the network?
- N/A and type in 'does not apply', then select Finish
Select Next
Maintain a Vulnerability Management Program
6.2(a): Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches?
- N/A and type in 'does not apply', then select Finish
6.2(b): Are critical security patches installed within one month of release?
- N/A and type in 'does not apply', then select Finish
Select Next
Implement Strong Access Control Measures
8.1.1: Are all users assigned a unique ID before allowing them to access system components or cardholder data? Select Yes
8.1.3: Is access for any terminated users immediately deactivated or removed? Select Yes
8.2: In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users? Select Yes
8.2.3(a): Are user password parameters configured to require passwords/passphrases meet the following? Select Yes
8.5: Are group, shared, or generic accounts, passwords, or other authentication methods prohibited as follows: Generic user IDs and accounts are disabled or removed; Shared user IDs for system administration activities and other critical functions do not exist; and Shared and generic user IDs are not used to administer any system components? Select Yes
Select Next
Restrict physical access to cardholder data
9.5: Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)?
For purposes of Requirement 9, "media" refers to all paper and electronic media containing cardholder data.
- Select N/A, enter ‘does not apply’ in text box and then Finish
9.6(a): Is strict control maintained over the internal or external distribution of any kind of media?
- Select N/A, enter ‘does not apply’ in text box and then Finish
9.6.1: Is media classified so the sensitivity of the data can be determined?
- Select N/A, enter ‘does not apply’ in text box and then Finish
9.6.2: Is media sent by secured courier or other delivery method that can be accurately tracked?
- Select N/A, enter ‘does not apply’ in text box and then Finish
9.6.3: Is management approval obtained prior to moving the media (especially when media is distributed to individuals)?
- Select N/A, enter ‘does not apply’ in text box and then Finish
9.7: Is strict control maintained over the storage and accessibility of media?
- Select N/A, enter ‘does not apply’ in text box and then Finish
9.8(a): Is all media destroyed when it is no longer needed for business or legal reasons?
- Select N/A, enter ‘does not apply’ in text box and then Finish
9.8.1(a): Are hardcopy materials cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed?
- Select N/A, enter ‘does not apply’ in text box and then Finish
9.8.1(b): Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents?
- Select N/A, enter ‘does not apply’ in text box and then Finish
Click Next
Maintain an Information Security Policy:
12.8.1: Is a list of service providers maintained, including a description of the service(s) provided? Select Yes
12.8.2: Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of the customer's cardholder data environment? Select Yes
12.8.3: Is there an established process for engaging service providers, including proper due diligence prior to engagement? Select Yes
12.8.4: Is a program maintained to monitor service providers' PCI DSS compliance status at least annually? Select Yes
- Once you select Yes, you will see this below:
- This is the date you are completing the questionnaire. Today's date should auto-populate so just click Finish.
12.8.5: Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity? Select Yes
12.10.1(a): Has an incident response plan been created to be implemented in the event of system breach? Select Yes