PCI Tutorial

You, as the merchant account owner, must complete a PCI compliance Self Assessment Questionnaire (SAQ) once a year in order to be PCI compliant and avoid paying a monthly non-compliance fee. Even if you are not actively using eCatholic Payments at the moment, your CardConnect account is still subject to compliance. To get started with the SAQ, follow the instructions below.


Log into your CardPointe account. The person who was submitted as the signer on the merchant account during the application process must complete this PCI Compliance Questionnaire.  They have received the CardPointe user account credentials. 

NOTE: If an email was forwarded to you by the signer, the link will not work for you.  The signer must add you to the CardPointe account before proceeding


Once you are logged in, click on My Account. Under PCI Status, you can click on the hyperlink labeled Not Compliant (pictured below) in-line with your main Merchant ID.


After you click on Not Compliant, you will be redirected to the SecureTrust website to start the PCI Compliance process:


Begin by entering your Business Information and Primary Contact Information. 

When you are done, click Next.


Then, you will be prompted to watch a short video about PCI Compliance (pictured below). When you are ready, click Start Business Profile to get started.


On this screen (pictured below), you can read the statement and click Next.


Choose Expert to begin the PCI Questionnaire.  Click Next (pictured below).


Select Self Assessment Questionnaire (SAQ) A.

Click Next


Service Providers

Select Yes

Multiple Acquirer

Select No

Select Next


Password Policy

Select Yes

Select: Next


Summary of how and where you handle card payments:

  • List your business premises type(s) and a summary of locations that are relevant to your PCI DSS assessment:
    • Enter: Merchant is e-commerce and outsources all credit card processing.
  • Generally, how does your business store, process and/or transmit cardholder data? 
    • Enter: Merchant is e-commerce and outsources all credit card handling through a PSP.
  • Briefly describe the environment and/or systems covered by this assessment:
    • Enter: All processing is done through third-party software.

Then click Next. 


Complete Security Assessment

You will then be directed to your dashboard (pictured below) to finish the second part.

To get started, click Manage.


Then select Answer now.


Notes about following this Tutorial

Some of the following questions have been answered for you.  You can click Next through these. Use the following as a reference to answer the ones that have not been answered.

In these next sections if you are asked to respond to a question that is not listed in this tutorial, go back to review your answers in the previous sections to make sure they match the responses we suggest here.

For your reference, the questions are also listed at the end of this tutorial. 


Build and Maintain a Secure Network and Systems

Some of questions have been answered for you.

Select: Next


Protect Account Data

3.1.1: Select Yes


3.2.1: Select N/A and enter Does not apply

Select: Finish

All other questions in this section have been answered for you.

Select: Next


Maintain a Vulnerability Management Program

6.3.1: Select N/A and enter Does not apply

Select: Finish



All other questions in this section have been answered for you.

Select: Next


Implement Strong Access Control Measures

8.3.5: Select: Yes

Select: Finish

8.3.7: Select: Yes


8.3.9: Select: Yes OR if you do use 2-factor authentication, you can select N/A and enter Does not apply.


Restrict Physical Access to Cardholder Data

9.4.1.1: Select N/A and enter Does not apply.

Select: Finish


All other questions in this section have been answered for you.

Select: Next


Maintain an Information Security Policy

12.8.1: Is a list of service providers maintained, including a description of the service(s) provided?  Select Yes


12.8.2: Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of the customer's cardholder data environment? Select Yes


12.8.3: Is there an established process for engaging service providers, including proper due diligence prior to engagement? Select Yes


12.8.4: Is a program maintained to monitor service providers' PCI DSS compliance status at least annually? Select Yes

  • Once you select Yes, you will see this below:

  • This is the date you are completing the questionnaire.  Today's date should auto-populate so just click Finish.

12.8.5: Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity? Select Yes


12.10.1(a): Has an incident response plan been created to be implemented in the event of system breach? Select Yes


Completing the Compliance

When you are finished, select Confirm your compliance on the right side panel.

Complete the Merchant Executive Officer portion and then click Confirm your attestation button


Congratulations!

You are compliant for one year! CardConnect will start sending you reminders about 90 days out from your expiration date. Be sure to revisit this tutorial when that time comes!


Started but then Stopped?

If you started the process and did not finish, you will receive an email like the one below. We recommend accessing the PCI Compliance Questionnaire using the top link (CardPointe).


Summary of Questions With Preferred Responses

Below are the questions that were answered previously. These are just for your reference; no action is needed.

Build and Maintain a Secure Network and Systems

2.1(a): Are vendor-supplied defaults always changed before installing a system on the network?

    • N/A and type in does not apply, then select Finish

2.1(b): Are unnecessary default accounts removed or disabled before installing a system on the network? 

    • N/A and type in does not apply, then select Finish

Select Next

Maintain a Vulnerability Management Program

6.2(a): Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches?

    • N/A and type in 'does not apply', then select Finish

6.2(b): Are critical security patches installed within one month of release?

    • N/A and type in 'does not apply', then select Finish

Select Next

Implement Strong Access Control Measures

8.1.1: Are all users assigned a unique ID before allowing them to access system components or cardholder data? Select Yes

8.1.3: Is access for any terminated users immediately deactivated or removed? Select Yes

8.2: In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users? Select Yes

8.2.3(a): Are user password parameters configured to require passwords/passphrases meet the following? Select Yes

8.5: Are group, shared, or generic accounts, passwords, or other authentication methods prohibited as follows: Generic user IDs and accounts are disabled or removed; Shared user IDs for system administration activities and other critical functions do not exist; and Shared and generic user IDs are not used to administer any system components? Select Yes

Select Next


Restrict physical access to cardholder data

9.5: Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)?

For purposes of Requirement 9, "media" refers to all paper and electronic media containing cardholder data. 

    • Select N/A, enter does not apply in text box and then Finish

9.6(a): Is strict control maintained over the internal or external distribution of any kind of media?

    • Select N/A, enter does not apply in text box and then Finish

9.6.1: Is media classified so the sensitivity of the data can be determined?

    • Select N/A, enter does not apply in text box and then Finish

9.6.2: Is media sent by secured courier or other delivery method that can be accurately tracked?

    • Select N/A, enter does not apply in text box and then Finish

9.6.3: Is management approval obtained prior to moving the media (especially when media is distributed to individuals)?

    • Select N/A, enter does not apply in text box and then Finish

9.7: Is strict control maintained over the storage and accessibility of media?

    • Select N/A, enter does not apply in text box and then Finish

9.8(a): Is all media destroyed when it is no longer needed for business or legal reasons?

    • Select N/A, enter does not apply in text box and then Finish

9.8.1(a): Are hardcopy materials cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed?

    • Select N/A, enter does not apply in text box and then Finish

9.8.1(b): Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents?

    • Select N/A, enter does not apply in text box and then Finish

Click Next


Maintain an Information Security Policy:

12.8.1: Is a list of service providers maintained, including a description of the service(s) provided?  Select Yes

12.8.2: Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of the customer's cardholder data environment? Select Yes

12.8.3: Is there an established process for engaging service providers, including proper due diligence prior to engagement? Select Yes

12.8.4: Is a program maintained to monitor service providers' PCI DSS compliance status at least annually? Select Yes

    • Once you select Yes, you will see this below:

    • This is the date you are completing the questionnaire.  Today's date should auto-populate so just click Finish.

12.8.5: Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity? Select Yes

12.10.1(a): Has an incident response plan been created to be implemented in the event of system breach? Select Yes

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.